Overview

overview

9

Static

static

7

o_0/cheeto.exe

windows7-x64

9

o_0/cheeto.exe

windows10-2004-x64

9

o_0/loader.exe

windows7-x64

9

o_0/loader.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

  • Target

    o_0_1.rar

  • Size

    8.0MB

  • Sample

    240223-qfbnasgd2z

  • MD5

    80a4a2b9c90ed81983d2ca746aab0e18

  • SHA1

    53c09e1047fd8faf73a67297d40869c32437e0ed

  • SHA256

    65114d3b20ff207f78061f5ead760581f707369bff3276807c41db6782027f8c

  • SHA512

    3ebf123faf5fa6e3235826af29e778d386798c0fd617c998d9d7c327fb1b47375432f2acc70981e81a79240b78a82631e44bb23913f1ff21aa09d50fca32a466

  • SSDEEP

    196608:s4P5B6nceudisddm2SFMOOLUh+oy/TcLS9ypLYLhbs5Wz0:s8B6vsa1FqLLotLRVAhz0

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Targets

    • Target

      o_0/cheeto.exe

    • Size

      4.0MB

    • MD5

      1d9d9eb4caf4a92c2f2f1bd44ab1b695

    • SHA1

      d61006c87b7b567566e1c06f2cad209380ff70be

    • SHA256

      d5bd2d1990de46d98907c10c535cfe81ed10a9682fac36e089946ccc14ce3e0c

    • SHA512

      558d7ec35fb8480917a8a37b8e9aef44a5cb58be0c1842be8d9f6224250273a7c6f9f4d64306a38630d76ecd5533bec4cc5115c7e320495087fc91109f5e5093

    • SSDEEP

      98304:3VAyZVmCs9rhcw3M//OfYts2SsJXkn7IG/HPiduYf:uyZVmCs9rhlSm0siJdeJE

    Score
    9/10
    evasionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      o_0/loader.exe

    • Size

      4.1MB

    • MD5

      9ecdc9ed1bea6c226f92d740d43400b9

    • SHA1

      b5b5066cd4284733d8c3f3d7de3ca6653091ae10

    • SHA256

      60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c

    • SHA512

      30bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43

    • SSDEEP

      98304:vnUGAC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUPj:PTn2qcUzp6UYeJRCxPj

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks