egregor | b159761b935b8900da7dd255b75788c23f435e9f484e4fc38856edd4bab3faea

Sharing

Copy URL

Twitter E-mail

General

Target

Install Termius.exe
Size

172.3MB
Sample

240223-r9dv7acd5w
MD5

494c7f6deb444f536df66ff05d929179
SHA1

2a9b1f69321ca4731e26f8e8dd724b6cf33c88ce
SHA256

b159761b935b8900da7dd255b75788c23f435e9f484e4fc38856edd4bab3faea
SHA512

a86c26e16b9c8b005930bdee74b146d987a3df037b16449de394cc0c24795020e408c15099547047c433673d8061ad0aa28a0f09ea01c7a20413f606fbb7c2ee
SSDEEP

3145728:rvTebGPWsJrVXC7CgF6ANeVUgAPT4g69Pca6U5y+Rhk54bME0:78JercKA4+gAPcDeHdu5bME0

Score

10^/10

egregor discovery

Malware Config

Targets

- Target
  
  Install Termius.exe
- Size
  
  172.3MB
- MD5
  
  494c7f6deb444f536df66ff05d929179
- SHA1
  
  2a9b1f69321ca4731e26f8e8dd724b6cf33c88ce
- SHA256
  
  b159761b935b8900da7dd255b75788c23f435e9f484e4fc38856edd4bab3faea
- SHA512
  
  a86c26e16b9c8b005930bdee74b146d987a3df037b16449de394cc0c24795020e408c15099547047c433673d8061ad0aa28a0f09ea01c7a20413f606fbb7c2ee
- SSDEEP
  
  3145728:rvTebGPWsJrVXC7CgF6ANeVUgAPT4g69Pca6U5y+Rhk54bME0:78JercKA4+gAPcDeHdu5bME0
Score

5^/10

discovery
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/SpiderBanner.dll
- Size
  
  9KB
- MD5
  
  17309e33b596ba3a5693b4d3e85cf8d7
- SHA1
  
  7d361836cf53df42021c7f2b148aec9458818c01
- SHA256
  
  996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
- SHA512
  
  1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
- SSDEEP
  
  192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
Score

1^/10
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/StdUtils.dll
- Size
  
  100KB
- MD5
  
  c6a6e03f77c313b267498515488c5740
- SHA1
  
  3d49fc2784b9450962ed6b82b46e9c3c957d7c15
- SHA256
  
  b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
- SHA512
  
  9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
- SSDEEP
  
  3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
Score

3^/10
behavioral5 behavioral6
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  0d7ad4f45dc6f5aa87f606d0331c6901
- SHA1
  
  48df0911f0484cbe2a8cdd5362140b63c41ee457
- SHA256
  
  3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
- SHA512
  
  c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
- SSDEEP
  
  192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score

3^/10
behavioral7 behavioral8
- Target
  
  $PLUGINSDIR/WinShell.dll
- Size
  
  3KB
- MD5
  
  1cc7c37b7e0c8cd8bf04b6cc283e1e56
- SHA1
  
  0b9519763be6625bd5abce175dcc59c96d100d4c
- SHA256
  
  9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
- SHA512
  
  7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f
Score

3^/10
behavioral10 behavioral9
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/keytar/win-ia32/keytar.node
- Size
  
  115KB
- MD5
  
  da698607c47fc6c765ab1fae782521d8
- SHA1
  
  7b277fc7b086016f176e42b925f215898f38d666
- SHA256
  
  bbd551f2950a407a834c15eeb7c71a818a6fd866dd24b16fc0ba135407f84fdd
- SHA512
  
  3a0a2d44f6746dcc3d983637a703cf005428e18025324c344593d3430e9eab98ec756fb9456fc393da5bf61b2744582d82634199241ef80a8675d20ba522f421
- SSDEEP
  
  3072:BKHnhWXw0a4PvawDIjHpl0whj4g8X/TNptYtPd:cHnh8w/IaVp14vPtY1d
Score

3^/10
behavioral11 behavioral12
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/index.js
- Size
  
  486B
- MD5
  
  33eb3f81c315aa1cab4dfa57e28b8c57
- SHA1
  
  ed240e139d672e27c73f8987564328253fc6fa52
- SHA256
  
  7823e992fe7f6c4e8951b3ef32302fcd1c719bd8301511e36b9781cbac50b05e
- SHA512
  
  d4842523b4650017fd2dd06d0974e04bd87b1222a1143ac6c87b6a2cd5e6c51b050bcd1aed36af83cb87ed783037507ef80c87261330e12d2cbefef42f99169a
Score

1^/10
behavioral13 behavioral14
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/win-ia32/cbor.dll
- Size
  
  180KB
- MD5
  
  d5d9f069feae15e01517d87af1ccd3ae
- SHA1
  
  6a7ec842de5a49fe90ee4fa3a9ca2235067b3ef2
- SHA256
  
  d0d24ba7ebfca5c050dbfd08df5519df8c8ae4f275188b01aa63eb28686b4934
- SHA512
  
  ac0a346df7d8512a551e825922a489dd6d990208c7665455c7318155576cb2699891a58b5b12ea4bd27e2ac5f3429b9abae3166b36942f84b558362ac1363835
- SSDEEP
  
  3072:WfzKUbDcqIfV4E54DIPQePucoINTpuqc2lv9HGjCv+GcAgnXl61x8aZTTVAopszT:WK9GjNWUXkyaZTppeiex6
Score

3^/10
behavioral15 behavioral16
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/win-ia32/crypto-46.dll
- Size
  
  1.4MB
- MD5
  
  1a655aca77bcfad2a53ed76a40fc9b2f
- SHA1
  
  c7cf2cf970022243077bb99c1489f2fe835c8422
- SHA256
  
  6d86a8066924f6bffe0db358f432e8bc134d75c4a9a2b3398fda592a3060d53f
- SHA512
  
  11e785065d8ee01f2911c09b80d4773a32915092c32d21b0ebaa43f83c67e02b5681152f94d467d8646719587d544036d319d77bd23e0b270686a2bc498b72a4
- SSDEEP
  
  24576:6wtkU3PGPEyPSRBktRdQGMkKd6EKVjUv+P647Nru/8kidIXDRNvKJ5uvHlne18Pu:fZyqotRdFqKVYWP647Nru5XDRNvKJ5uy
Score

3^/10
behavioral17 behavioral18
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/win-ia32/fido2.dll
- Size
  
  225KB
- MD5
  
  5c7cc2752ef1c854357b0d6b6adbc210
- SHA1
  
  452d6564b0e5aeb0d5b4e535186b46170ec7a7fb
- SHA256
  
  c0d3e49e26093460a8d8643ee0b745bf5f7904410c79a428a528d913eb76161c
- SHA512
  
  ee7798d30a1089c57c4b6c96f3954cb259ae6b04f7e2c6cb2aad1e96e0ed56250118b8380585cf30b061e30b500e013733e02dfab90e8cf1fae8e419f9b7fb03
- SSDEEP
  
  3072:zfvYjfgLOq2dMcChh7fM3TK8NqTq/zYykZEx5kcFOGQbe+mqIf+s6IAPvn6YhW:rgj9Q1v8QTUYy4oucobsV2hW
Score

3^/10
behavioral19 behavioral20
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/win-ia32/libfido2-nodejs.node
- Size
  
  521KB
- MD5
  
  10ddcb2631d543e04033d2ba185dda67
- SHA1
  
  e021f1da6eda9ac26545d98941b7f7b1fe177d2f
- SHA256
  
  a2943d3507c6abd8ded082ccc45ca3f3e9e553e87605f113014b1e62acb8efaa
- SHA512
  
  ffb27a968ea33ae2b9ac01edc1c6b819f02f60b24a20347fde90b22ddc2eb78d954ccbbd537112a7b81ef0b4ee355b675bd1d53b07d4f2462748fbf16095d96d
- SSDEEP
  
  12288:R+zxwvwC/EHAUPQe4NJ0sC8X9y2xnIxH8+Ixu0fl7jAg:OmvwFC9y2xl7jD
Score

3^/10
behavioral21 behavioral22
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/win-ia32/ssl-48.dll
- Size
  
  336KB
- MD5
  
  69f37486367f3d3b297142fb623b9185
- SHA1
  
  768894ff2d59819666ca4c522d28b35cb79d9890
- SHA256
  
  587ad436b0e758c9f09cefd1039ebe5bfe726fe314fb0d43a2833ab8251b3ec0
- SHA512
  
  079535f02a69e4ee4da9ab40a9c3f6ee798297a6bfaf9f3ee7b70e9bba8a44a4de8209afe8205638a170463a731bd2dc97523e630455c80c31499ecb15748262
- SSDEEP
  
  6144:MTinsVQMjqBALNMxWBywI3PQMgDrSeiocjcUbmYObux9ESliKyuKCZJOGuv9o9/B:rnsmMjqSBMxW0wIoMgDN1ylEekQYv3lg
Score

1^/10
behavioral23 behavioral24
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/win-ia32/tls-20.dll
- Size
  
  128KB
- MD5
  
  402e0ad5882c25ca84fe8c6e5d8d30f3
- SHA1
  
  fec93750632d662e6a513fb7261ce2180a308d04
- SHA256
  
  e4edd485bbbe05024435e9ea3737c7665d588251fe06c2b02365f6d036fb6aca
- SHA512
  
  326f759bfb0c3337332cf1b74b22df9aafa78d68e2e45c6c1d70cc685797a8a005cf5c762c72eda92a579f4befceb4e54500e12709ce90f59f3d20c6dd558962
- SSDEEP
  
  3072:w3a8MstIEHAzRroP6+VabbvW4eB/4PGIQthj:wq836BiPbVVBj
Score

3^/10
behavioral25 behavioral26
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libfido2/win-ia32/zlib1.dll
- Size
  
  174KB
- MD5
  
  26a9f5d5fa561b4a1afbd1a681b09847
- SHA1
  
  fe1d1df3731bec49ee26ab9eeee4e4585a75e505
- SHA256
  
  dad8b2f1c80449a72d5411ca24496931e3cd8ac481606f324d88c756ccaf78de
- SHA512
  
  796a185d9e3f2a5fb2e0d14e476b4670fd838b00a165541bf57a6d7b87787dc71e0611f43f4da0019810c230dc479f37ec3f51e247c37f4a24ea9640eb4d34a5
- SSDEEP
  
  3072:GF+X1LQ+sQsJCqLsh12oMo/aoF9GdXaicmwD70B1Bc6JftTBf/iFZQilQBNRMR8M:G+++sVJDseydaajN83cYTBHiFYNC8M
Score

3^/10
behavioral27 behavioral28
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libtermius/index.js
- Size
  
  480B
- MD5
  
  19f58a187f3cbdfcf9d7a5d2874d7399
- SHA1
  
  1f3ef9dc9bac9eec4fbcf870adc69e0770081baa
- SHA256
  
  d87f0c77ab587a7714d760f7f5759b229c5fc2b3c0fde3b2f16d3db4c27d4312
- SHA512
  
  a2b24d1ba2f915eccac73e8dfc2586a03fda651e0890c970aa94f3b701f3360e4bd771913a20382d18c6ca29397f470aa6b0d61c4da2cee2aea211df07cede93
Score

1^/10
behavioral29 behavioral30
- Target
  
  resources/app.asar.unpacked/node_modules/@termius/libtermius/win-ia32/libssh2.dll
- Size
  
  2.9MB
- MD5
  
  72d37e2ae392e6121c78fb095482db96
- SHA1
  
  a7ffd6d030b654011f46f0afab77c88de2a88fe5
- SHA256
  
  f6f93ce6a528ca62091898c0d6d76f5fd7158f1d23edfa7c7da07020b1175471
- SHA512
  
  c585c2010f68f18d2bec3adafc07bf1b5d443cb8e9a673422777c1e77058b22061cdfa2dc63661ca246421716e9750dcb364ce1e44aa10060d5aaaede1bd828d
- SSDEEP
  
  24576:GvNIzkQBpi+KpPQED3mUJVp5vBPobNJgJoqY3bBl0RFHRAHDdT4ajk6cIQikpjf1:GUbutD3L7KsFWjinjfDsEtvpp/TxTPP
Score

3^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Checks computer location settings

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32