General

  • Target

    b4e094a5fafc8ab2c37a32137b1df21a.bin

  • Size

    375.2MB

  • Sample

    240326-ee111sff3t

  • MD5

    b4e094a5fafc8ab2c37a32137b1df21a

  • SHA1

    6016a767b776132b73c59dd5a0213fbb0bce0f72

  • SHA256

    dcdd4aaad5178efc26cbff22432e0a327622aed85bc74e323f07156014fcdae8

  • SHA512

    9d02fe151be395a789b0c9d6c3ff793252d16268c7d69ae8dd8d67b17eefc04c94f97f20771da4bec9130edf13e17f5edd7156b38096ec9723e175bdf8108987

  • SSDEEP

    98304:EB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:tcUG4raKu24YY7HVT4hV0AD6QgqKRgX

Malware Config

Targets

    • Target

      b4e094a5fafc8ab2c37a32137b1df21a.bin

    • Size

      375.2MB

    • MD5

      b4e094a5fafc8ab2c37a32137b1df21a

    • SHA1

      6016a767b776132b73c59dd5a0213fbb0bce0f72

    • SHA256

      dcdd4aaad5178efc26cbff22432e0a327622aed85bc74e323f07156014fcdae8

    • SHA512

      9d02fe151be395a789b0c9d6c3ff793252d16268c7d69ae8dd8d67b17eefc04c94f97f20771da4bec9130edf13e17f5edd7156b38096ec9723e175bdf8108987

    • SSDEEP

      98304:EB2pC6XG4HNkq5UKPhc24Y1/QPldHVTgPNhV0ADXqQgpkWDRIZVMnu0jjD8ueJU:tcUG4raKu24YY7HVT4hV0AD6QgqKRgX

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks