General
-
Target
BLTools V2.0.0.exe
-
Size
7.4MB
-
Sample
240416-a8a98sch87
-
MD5
1a8902cd60c38c8e2f0e752d45627dd9
-
SHA1
3e5767b0243ff466ba6db2974e4a87a295419cd4
-
SHA256
5c5f543002e61369b783a15a504231dc794359c41c0054655f04a3596e6124d8
-
SHA512
0951af3fe1c76e3b34b39a9f9b6d419896dfcb14f004646b769d8171cbe57aa2661d595dce35b9da31d9e509e190f00fa0e08c712ed422b98f0848cb11a64a45
-
SSDEEP
196608:7dg6mgSSRoyMU48mrvL/m9jmAD8SQQ6DIxp:XayR48SviwUyDIxp
Static task
static1
Behavioral task
behavioral1
Sample
BLTools V2.0.0.exe
Resource
win10v2004-20240412-en
Malware Config
Targets
-
-
Target
BLTools V2.0.0.exe
-
Size
7.4MB
-
MD5
1a8902cd60c38c8e2f0e752d45627dd9
-
SHA1
3e5767b0243ff466ba6db2974e4a87a295419cd4
-
SHA256
5c5f543002e61369b783a15a504231dc794359c41c0054655f04a3596e6124d8
-
SHA512
0951af3fe1c76e3b34b39a9f9b6d419896dfcb14f004646b769d8171cbe57aa2661d595dce35b9da31d9e509e190f00fa0e08c712ed422b98f0848cb11a64a45
-
SSDEEP
196608:7dg6mgSSRoyMU48mrvL/m9jmAD8SQQ6DIxp:XayR48SviwUyDIxp
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1