9d2ad8c13ed60d88296433fd3b911995589ff90c476f4ec028596f43f1ac9fe3

General

Target

Jz.exe
Size

7.5MB
Sample

240416-ap8fmaec3w
MD5

cf7974f3af7e1307a4c325750febb201
SHA1

8b1695eb2481872694ac785ba0a14c8e1bb7398c
SHA256

9d2ad8c13ed60d88296433fd3b911995589ff90c476f4ec028596f43f1ac9fe3
SHA512

150895aaf679304c6715368561e8435f6290fcf714f98dac1f0714e6057304708c6524ed1d323426822b765a2e6d578fc618628d1f9ba998afb6564109600612
SSDEEP

196608:XdgqoyUWq8D+w448SSwzxzgjboADM8IaeTCRI:FawN8SXz+YUIRCRI

Score

10^/10

Malware Config

Targets

- Target
  
  Jz.exe
- Size
  
  7.5MB
- MD5
  
  cf7974f3af7e1307a4c325750febb201
- SHA1
  
  8b1695eb2481872694ac785ba0a14c8e1bb7398c
- SHA256
  
  9d2ad8c13ed60d88296433fd3b911995589ff90c476f4ec028596f43f1ac9fe3
- SHA512
  
  150895aaf679304c6715368561e8435f6290fcf714f98dac1f0714e6057304708c6524ed1d323426822b765a2e6d578fc618628d1f9ba998afb6564109600612
- SSDEEP
  
  196608:XdgqoyUWq8D+w448SSwzxzgjboADM8IaeTCRI:FawN8SXz+YUIRCRI
Score

10^/10

agilenet evasion persistence themida trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- UAC bypass
  evasion trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1