General
-
Target
loxvanity.exe
-
Size
7.5MB
-
Sample
240416-bww7lsfg7v
-
MD5
ae18d7298dbd5a2f9a1205155f9c03b6
-
SHA1
baf3d83ad8a391d36d0a0fdf3a0a510afa4ccc59
-
SHA256
88417151070ccd5906c410061a2d27faf14473607c11eecc58fa56e60f3caf4b
-
SHA512
a3988d5d1b8102bc1f074f6c4e1ada4db7bcf673fe81734b82b710c822698f55df5a4a6aaf3734f64cb6282b22eeb9a5eefce390bc1304cbcdff7ec0dbf0e2ef
-
SSDEEP
196608:Rdg6G0KaH2EGMII+QvlRXgh9OADa8k2mv899:1WEfIIDvlCiUCd899
Static task
static1
Malware Config
Targets
-
-
Target
loxvanity.exe
-
Size
7.5MB
-
MD5
ae18d7298dbd5a2f9a1205155f9c03b6
-
SHA1
baf3d83ad8a391d36d0a0fdf3a0a510afa4ccc59
-
SHA256
88417151070ccd5906c410061a2d27faf14473607c11eecc58fa56e60f3caf4b
-
SHA512
a3988d5d1b8102bc1f074f6c4e1ada4db7bcf673fe81734b82b710c822698f55df5a4a6aaf3734f64cb6282b22eeb9a5eefce390bc1304cbcdff7ec0dbf0e2ef
-
SSDEEP
196608:Rdg6G0KaH2EGMII+QvlRXgh9OADa8k2mv899:1WEfIIDvlCiUCd899
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
1Virtualization/Sandbox Evasion
1