8a9de744f3f85a82ef8247c5f21be9e4e7c8ebdaed706a9adafa55ab62059f80 | Triage

Sharing

General

Target

174e231808ac4c450e2db5aa7f8425c1_JaffaCakes118
Size

12.4MB
Sample

240505-mrsjeaah77
MD5

174e231808ac4c450e2db5aa7f8425c1
SHA1

7bc04c69fa5bcc73444067a392644314d20497d8
SHA256

8a9de744f3f85a82ef8247c5f21be9e4e7c8ebdaed706a9adafa55ab62059f80
SHA512

37dee351189636f7288117fe4d806b3636d98aaa1e21f4b2f068450815a4ef9451f9b141d551a9f62da6b8fe8dc7242ec4f00147f5ca897af56ebea02f4714f8
SSDEEP

393216:9ivzYg+yy4FPXQWBV2mThqF/om2GVd3T91:Ev5+6XxV2mTU9T3T/

Score

9^/10

agilenet evasion vmprotect

Malware Config

Targets

- Target
  
  Pain Exist 3.9/Bunifu_UI_v1.5.3.dll
- Size
  
  323KB
- MD5
  
  e0ef2817ee5a7c8cd1eb837195768bd2
- SHA1
  
  426ea1e201c7d3dc3fadce976536edce4cd51bce
- SHA256
  
  76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930
- SHA512
  
  5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c
- SSDEEP
  
  3072:cF7t/92eSp+nuthzYeSRwwdrmMaXyXL5NQKCZIWD144HcH0CbBxyKfoYA05bC61h:eOthMswV7aXyXLSO4HcHByY35b9DYr
Score

1^/10
behavioral1 behavioral2
- Target
  
  Pain Exist 3.9/FastColoredTextBox.dll
- Size
  
  331KB
- MD5
  
  7d315038da4cb77039dc315c64946e22
- SHA1
  
  c213bf396157ef97c23a751aebcabfb26f34b7d0
- SHA256
  
  777c68c5c47cf91e18583a0fa50b556b1551898a07097f296a0811943a493fa6
- SHA512
  
  794a8f00629f083edf3a7c20fb22fc29a13e1c6822bffcc0696918b7b999a53483d867ea6b7ee08352b4ddfc21c75f03a68a6b45ccab8c4b2ccf582383a6b87e
- SSDEEP
  
  6144:0IhBMO76XPxAn90aIqEokJEBNfxfXsrYGeBcHeDsGLPDJ:04cCNNGeMrkD
Score

1^/10
behavioral3 behavioral4
- Target
  
  Pain Exist 3.9/LogIn.dll
- Size
  
  88KB
- MD5
  
  03621cca4edfda4752ab77e5d3f824b3
- SHA1
  
  657d7d20d1bbed15b28dc2e4cd8847e811239df2
- SHA256
  
  332d7006b1d7815e8792371ba4cf32be0261a36e1eda34b38e4c92163157410b
- SHA512
  
  8acfca1dbda88fc055b60d4ea014a0c9f48cc9af3c6fd8bb91103db2dc97e007b4d638ad356d195f63825647d4d4f26f37439cbf374fac6888293f3624859165
- SSDEEP
  
  1536:eKNXUYZGxQIIl8AnyAdVj6yykiCobYIY5Ww4+9j2ogkpfcc:eOEYZGmIIzyAdVOhkmYb99j2oNpF
Score

1^/10
behavioral5 behavioral6
- Target
  
  Pain Exist 3.9/MetroFramework.dll
- Size
  
  345KB
- MD5
  
  34ea7f7d66563f724318e322ff08f4db
- SHA1
  
  d0aa8038a92eb43def2fffbbf4114b02636117c5
- SHA256
  
  c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49
- SHA512
  
  dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148
- SSDEEP
  
  6144:M4S7k5hdCpU4YqfkUGz6KpQQZQHDXjNCdOZgLdL5DXBK:M4S7k5hdCEQHP1Zgj
Score

1^/10
behavioral7 behavioral8
- Target
  
  Pain Exist 3.9/Pain Exist 3.9.exe
- Size
  
  5.0MB
- MD5
  
  476ad1e42f46dc9fa19d292c86912339
- SHA1
  
  9b56b06e658e09db429ffe0b277ade58951195df
- SHA256
  
  8ce7960ddd89997626bf08a9f105509921aa38901cb0c113ae37a9e9718ef46b
- SHA512
  
  ae747c67de618fb54be1f2a53eac0c1d820cd540f959b7925e2ed49e9134e3bd0902b39816cdb4029a5671d0211244590d975048edca1638a45a09e572ad22fa
- SSDEEP
  
  98304:+2aAJLs/Zb7yRZmkew0jLLqUK1OlXKNH0bwt9stD+6f:8AJLs/ZPyLmxvLqU3XKBe
Score

9^/10

agilenet evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral10 behavioral9
- Target
  
  Pain Exist 3.9/PainModule.dll
- Size
  
  6.8MB
- MD5
  
  61db7ecdc707673f5797425d3e936870
- SHA1
  
  802da01ef03a4aa806db3f7c0f9ff960fc5424e5
- SHA256
  
  2ce31c255dfc3a5bc85f03c2eed482e3824d283f53e8e4ad1d31be8fe32dc2cb
- SHA512
  
  d9af56acc2e3408194e3331fde24f88848453ed0d13a442bd873f31246ceab538bdcbbd9aeb4e948c2ea9512dd7f303f0674c2535afcbfff9e737b1d48445683
- SSDEEP
  
  196608:ZiJHJtypF7mBSWcZuAkWwvavP1R0UB5MSr:cV7yn7mUQAkavP1CUB5MSr
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11 behavioral12
- Target
  
  Pain Exist 3.9/ScintillaNET.dll
- Size
  
  1.3MB
- MD5
  
  9166536c31f4e725e6befe85e2889a4b
- SHA1
  
  f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae
- SHA256
  
  ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163
- SHA512
  
  113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562
- SSDEEP
  
  24576:IJSShz305vgNF7/cOCPHPSVs4Eq+QTNX+cfQdS+2MMPishd/Ws5:ti0aNvoHqs4L95X+cfx/HGC
Score

1^/10
behavioral13 behavioral14
- Target
  
  Pain Exist 3.9/discord-rpc-w32.dll
- Size
  
  289KB
- MD5
  
  a1c35901ad26a30c5b7836771b6badff
- SHA1
  
  94a57cd3452a53c209323a1ce738b9f0fb0d6087
- SHA256
  
  517240600b04d454cc5ab7b03e43c4af5a0b831fd2515f25c015a83652ad4cac
- SHA512
  
  0af73788858e85df874cc232f5d31765648ffbf53d7fdf388fc1b619f44b9ca172c3ac92c983cbeec5d22b6692cd7d3f20734c8e759fe9cf53ac2671d9c1d5e4
- SSDEEP
  
  6144:iiLsvWG766dSiKXs2Ol2JWzh0TWxwpeqN55I8pF+WVe2KN6nB/F:iiLmW8daXs2dWzx5M5I8P+WM2a6tF
Score

3^/10
behavioral15 behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

agilenetevasion

behavioral10

agilenetevasion

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16