Overview

overview

9

Static

static

3

Abbys Loader.exe

windows11-21h2-x64

9

Resubmissions

08-12-2023 21:49

231208-1pd5wseed7 9

08-12-2023 21:32

231208-1d5hpsedh7 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Abbys Loader.exe

  • Size

    8.3MB

  • Sample

    231208-1pd5wseed7

  • MD5

    e3ffc5689f47470d27cc887f436a6314

  • SHA1

    6dcd3bd8efe25473799c60e4a5c6bd452c6f173f

  • SHA256

    7cbe7d346f86a0f771e9cd2957f588b28310251461033a1e8e1fa47513f4544c

  • SHA512

    28f644253daf94d4f5032fa9cc2037240d3d35ce5fae90c9f0254db65798baa29079d9e4a0b961b61ffe0cb3e26ae11945a83f84da03565b2fb8b9798e7e4de3

  • SSDEEP

    196608:ib44X4ZJfaTLcGSp5Ri2SiW8kW8oaMjITKYODW:C44X4Z4TLcGSp5b28kKrBvW

Score
9/10
discoveryevasionpersistence

Malware Config

Targets

    • Target

      Abbys Loader.exe

    • Size

      8.3MB

    • MD5

      e3ffc5689f47470d27cc887f436a6314

    • SHA1

      6dcd3bd8efe25473799c60e4a5c6bd452c6f173f

    • SHA256

      7cbe7d346f86a0f771e9cd2957f588b28310251461033a1e8e1fa47513f4544c

    • SHA512

      28f644253daf94d4f5032fa9cc2037240d3d35ce5fae90c9f0254db65798baa29079d9e4a0b961b61ffe0cb3e26ae11945a83f84da03565b2fb8b9798e7e4de3

    • SSDEEP

      196608:ib44X4ZJfaTLcGSp5Ri2SiW8kW8oaMjITKYODW:C44X4Z4TLcGSp5b28kKrBvW

    Score
    9/10
    discoveryevasionpersistence

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Looks for VMWare Tools registry key

      evasion

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

File and Directory Permissions Modification

1
T1222

Impair Defenses

1
T1562

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

7
T1012

Software Discovery

1
T1518

Security Software Discovery

1
T1518.001

System Information Discovery

5
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks