General
-
Target
loxvanity.exe
-
Size
7.5MB
-
Sample
240416-bww7lsfg7v
-
MD5
ae18d7298dbd5a2f9a1205155f9c03b6
-
SHA1
baf3d83ad8a391d36d0a0fdf3a0a510afa4ccc59
-
SHA256
88417151070ccd5906c410061a2d27faf14473607c11eecc58fa56e60f3caf4b
-
SHA512
a3988d5d1b8102bc1f074f6c4e1ada4db7bcf673fe81734b82b710c822698f55df5a4a6aaf3734f64cb6282b22eeb9a5eefce390bc1304cbcdff7ec0dbf0e2ef
-
SSDEEP
196608:Rdg6G0KaH2EGMII+QvlRXgh9OADa8k2mv899:1WEfIIDvlCiUCd899
Static task
static1
Malware Config
Targets
-
-
Target
loxvanity.exe
-
Size
7.5MB
-
MD5
ae18d7298dbd5a2f9a1205155f9c03b6
-
SHA1
baf3d83ad8a391d36d0a0fdf3a0a510afa4ccc59
-
SHA256
88417151070ccd5906c410061a2d27faf14473607c11eecc58fa56e60f3caf4b
-
SHA512
a3988d5d1b8102bc1f074f6c4e1ada4db7bcf673fe81734b82b710c822698f55df5a4a6aaf3734f64cb6282b22eeb9a5eefce390bc1304cbcdff7ec0dbf0e2ef
-
SSDEEP
196608:Rdg6G0KaH2EGMII+QvlRXgh9OADa8k2mv899:1WEfIIDvlCiUCd899
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Virtualization/Sandbox Evasion
1