General

  • Target

    f8b2a71a34172076cc65f15d14ed43099a1ddf0a294ffe34c6004ae430a10317.zip

  • Size

    16.8MB

  • Sample

    240306-c7rlyaad98

  • MD5

    411c42df8bb6b851d363a8669318f5fd

  • SHA1

    d8bc9470f380d7cc5863810ed834e0831f296661

  • SHA256

    f8b2a71a34172076cc65f15d14ed43099a1ddf0a294ffe34c6004ae430a10317

  • SHA512

    bb450df92f7f2e6fa06bd11d72e37561126f7fc63138ebb838f0af5327dd97ed25fac82513ce5bb695d843dda7469afbba26785b4d49745fd5f0f3b15fdbb7c1

  • SSDEEP

    393216:L7d1ETEkmpnpdtIJPAIf5MV6oub01DKYPB+yBjw1KTqdn:1STWJpdtC4Ifa9oo+oBjwR

Malware Config

Targets

    • Target

      Installer.exe

    • Size

      327.7MB

    • MD5

      7e25fdb1932480e3e6ec31b22d08c19e

    • SHA1

      0dfca2e6c1c89b1e85fdbb9da31a93964db7b826

    • SHA256

      fbef401c6a7ad24640f6b6583aa0d0fa02aa895c47ab08e68b0e6e312d1b42a5

    • SHA512

      2bb81a8ddda7ef4bbc9508c7c80f56b5a00215674ad38e442937c42a2ecdf4e827b906b97bf63c67c36dd0a7ef78d2c6b5b6202d96516ece8b5d2dbd355f8326

    • SSDEEP

      196608:99GeDVI5DKBWZlkgJedYs6LtYdEhqTgKDf:9kYVI5DK2NNs6LtYdEhSpz

    • Jupyter, SolarMarker

      Jupyter is a backdoor and infostealer first seen in mid 2020.

    • Detects executables packed with Agile.NET / CliSecure

    • Detects executables packed with Themida

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks