General

  • Target

    S500 RAT.zip

  • Size

    60.4MB

  • Sample

    240227-qvmn4saa78

  • MD5

    c81e1a780bfe0c0c08cc065c07f9ccf4

  • SHA1

    b6323176ddcc6b1a39ee9d6645ff8423656158b0

  • SHA256

    d5875d4d08dac2c89551c28981c116d428260e9cc8f3de064123922d88dae06f

  • SHA512

    17a497f77457feb2b9c25fa138338e58dbeab21dc263d9f4407f4669d45b05c31ff75b6bc24f27a5387c0e96e3807c804ddda2cd0d1b169d7dbb278625b6f59e

  • SSDEEP

    1572864:ogpmeR1RFRShPdw2L0POYJhtzU9lr7RvVST:HHp2w2GzurFVST

Malware Config

Targets

    • Target

      S500 RAT.zip

    • Size

      60.4MB

    • MD5

      c81e1a780bfe0c0c08cc065c07f9ccf4

    • SHA1

      b6323176ddcc6b1a39ee9d6645ff8423656158b0

    • SHA256

      d5875d4d08dac2c89551c28981c116d428260e9cc8f3de064123922d88dae06f

    • SHA512

      17a497f77457feb2b9c25fa138338e58dbeab21dc263d9f4407f4669d45b05c31ff75b6bc24f27a5387c0e96e3807c804ddda2cd0d1b169d7dbb278625b6f59e

    • SSDEEP

      1572864:ogpmeR1RFRShPdw2L0POYJhtzU9lr7RvVST:HHp2w2GzurFVST

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks