Analysis Overview
SHA256
c603a87cacf12026db4d215e466599ca52f495334eb78fb438aaaa834437f5f1
Threat Level: Known bad
The file Deadly Team and VBR Cracked by SobFoX.zip was found to be: Known bad.
Malicious Activity Summary
Detect Lumma Stealer payload V4
Lumma family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Themida packer
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Runs net.exe
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-26 01:01
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma family
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-26 01:01
Reported
2024-04-26 01:04
Platform
win10v2004-20240412-en
Max time kernel
106s
Max time network
108s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Runs net.exe
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Deadly Team and VBR Cracked by SobFoX.zip"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\start.cmd" "
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe
"crack.exe"
C:\Windows\system32\PING.EXE
ping -n 3 127.0.0.1
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe
"NewLoader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\start.cmd"
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe
"crack.exe"
C:\Windows\system32\PING.EXE
ping -n 3 127.0.0.1
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe
"NewLoader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe
"C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Initialized && timeout /t 5"
C:\Windows\system32\cmd.exe
cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: Initialized && timeout /t 5"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe
"C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\start.cmd" "
C:\Windows\system32\net.exe
net session
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\crack.exe
"crack.exe"
C:\Windows\system32\PING.EXE
ping -n 3 127.0.0.1
C:\Users\Admin\Desktop\Deadly Team and VBR Cracked by SobFoX\NewLoader.exe
"NewLoader.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:49731 | tcp | |
| N/A | 127.0.0.1:49733 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 2.18.190.147:80 | tcp |
Files
memory/1688-0-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-2-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-1-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-6-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-7-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-8-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-9-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-10-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-11-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/1688-12-0x0000027CF5BE0000-0x0000027CF5BE1000-memory.dmp
memory/5040-13-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/5040-14-0x00007FFA82670000-0x00007FFA82865000-memory.dmp
memory/5040-15-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/5040-16-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/5040-17-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/5040-18-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/5040-19-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/5040-20-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/5040-21-0x00007FFA82670000-0x00007FFA82865000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2848-23-0x00007FFA82670000-0x00007FFA82865000-memory.dmp
memory/2848-24-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/2848-25-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/2848-26-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/2848-27-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/2848-28-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/2848-29-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/2848-30-0x00007FFA82670000-0x00007FFA82865000-memory.dmp
memory/1708-31-0x00007FFA82670000-0x00007FFA82865000-memory.dmp
memory/1708-32-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/1708-33-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/1708-34-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/1708-35-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/1708-36-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/1708-37-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/1708-38-0x00007FFA82670000-0x00007FFA82865000-memory.dmp
memory/676-40-0x00007FFA82670000-0x00007FFA82865000-memory.dmp
memory/676-41-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/676-42-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/676-43-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/676-44-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/676-45-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/676-46-0x00007FF6792D0000-0x00007FF679CDB000-memory.dmp
memory/676-47-0x00007FFA82670000-0x00007FFA82865000-memory.dmp