8a9de744f3f85a82ef8247c5f21be9e4e7c8ebdaed706a9adafa55ab62059f80 | Triage

Sharing

General

Target

174e231808ac4c450e2db5aa7f8425c1_JaffaCakes118
Size

12.4MB
Sample

240505-mrsjeaah77
MD5

174e231808ac4c450e2db5aa7f8425c1
SHA1

7bc04c69fa5bcc73444067a392644314d20497d8
SHA256

8a9de744f3f85a82ef8247c5f21be9e4e7c8ebdaed706a9adafa55ab62059f80
SHA512

37dee351189636f7288117fe4d806b3636d98aaa1e21f4b2f068450815a4ef9451f9b141d551a9f62da6b8fe8dc7242ec4f00147f5ca897af56ebea02f4714f8
SSDEEP

393216:9ivzYg+yy4FPXQWBV2mThqF/om2GVd3T91:Ev5+6XxV2mTU9T3T/

Score

9^/10

agilenet evasion vmprotect

Malware Config

Targets

- Target
  
  Pain Exist 3.9/Bunifu_UI_v1.5.3.dll
- Size
  
  323KB
- MD5
  
  e0ef2817ee5a7c8cd1eb837195768bd2
- SHA1
  
  426ea1e201c7d3dc3fadce976536edce4cd51bce
- SHA256
  
  76e1d3ec95fdef74abaf90392dd6f4aa5e344922abf11e572707287d467f2930
- SHA512
  
  5ad95dd7f0e712d543acfe7fd4539695f7e894988c0a2c44231c43e5ee29e743cb1ffe6bdf1fbdbdcfd3aa374f036113bcc6a1befd0114954093520bac47234c
- SSDEEP
  
  3072:cF7t/92eSp+nuthzYeSRwwdrmMaXyXL5NQKCZIWD144HcH0CbBxyKfoYA05bC61h:eOthMswV7aXyXLSO4HcHByY35b9DYr
Score

1^/10
behavioral1 behavioral2
- Target
  
  Pain Exist 3.9/FastColoredTextBox.dll
- Size
  
  331KB
- MD5
  
  7d315038da4cb77039dc315c64946e22
- SHA1
  
  c213bf396157ef97c23a751aebcabfb26f34b7d0
- SHA256
  
  777c68c5c47cf91e18583a0fa50b556b1551898a07097f296a0811943a493fa6
- SHA512
  
  794a8f00629f083edf3a7c20fb22fc29a13e1c6822bffcc0696918b7b999a53483d867ea6b7ee08352b4ddfc21c75f03a68a6b45ccab8c4b2ccf582383a6b87e
- SSDEEP
  
  6144:0IhBMO76XPxAn90aIqEokJEBNfxfXsrYGeBcHeDsGLPDJ:04cCNNGeMrkD
Score

1^/10
behavioral3 behavioral4
- Target
  
  Pain Exist 3.9/LogIn.dll
- Size
  
  88KB
- MD5
  
  03621cca4edfda4752ab77e5d3f824b3
- SHA1
  
  657d7d20d1bbed15b28dc2e4cd8847e811239df2
- SHA256
  
  332d7006b1d7815e8792371ba4cf32be0261a36e1eda34b38e4c92163157410b
- SHA512
  
  8acfca1dbda88fc055b60d4ea014a0c9f48cc9af3c6fd8bb91103db2dc97e007b4d638ad356d195f63825647d4d4f26f37439cbf374fac6888293f3624859165
- SSDEEP
  
  1536:eKNXUYZGxQIIl8AnyAdVj6yykiCobYIY5Ww4+9j2ogkpfcc:eOEYZGmIIzyAdVOhkmYb99j2oNpF
Score

1^/10
behavioral5 behavioral6
- Target
  
  Pain Exist 3.9/MetroFramework.dll
- Size
  
  345KB
- MD5
  
  34ea7f7d66563f724318e322ff08f4db
- SHA1
  
  d0aa8038a92eb43def2fffbbf4114b02636117c5
- SHA256
  
  c2c12d31b4844e29de31594fc9632a372a553631de0a0a04c8af91668e37cf49
- SHA512
  
  dceb1f9435b9479f6aea9b0644ba8c46338a7f458c313822a9d9b3266d79af395b9b2797ed3217c7048db8b22955ec6fe8b0b1778077fa1de587123ad9e6b148
- SSDEEP
  
  6144:M4S7k5hdCpU4YqfkUGz6KpQQZQHDXjNCdOZgLdL5DXBK:M4S7k5hdCEQHP1Zgj
Score

1^/10
behavioral7 behavioral8
- Target
  
  Pain Exist 3.9/Pain Exist 3.9.exe
- Size
  
  5.0MB
- MD5
  
  476ad1e42f46dc9fa19d292c86912339
- SHA1
  
  9b56b06e658e09db429ffe0b277ade58951195df
- SHA256
  
  8ce7960ddd89997626bf08a9f105509921aa38901cb0c113ae37a9e9718ef46b
- SHA512
  
  ae747c67de618fb54be1f2a53eac0c1d820cd540f959b7925e2ed49e9134e3bd0902b39816cdb4029a5671d0211244590d975048edca1638a45a09e572ad22fa
- SSDEEP
  
  98304:+2aAJLs/Zb7yRZmkew0jLLqUK1OlXKNH0bwt9stD+6f:8AJLs/ZPyLmxvLqU3XKBe
Score

9^/10

agilenet evasion
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral10 behavioral9
- Target
  
  Pain Exist 3.9/PainModule.dll
- Size
  
  6.8MB
- MD5
  
  61db7ecdc707673f5797425d3e936870
- SHA1
  
  802da01ef03a4aa806db3f7c0f9ff960fc5424e5
- SHA256
  
  2ce31c255dfc3a5bc85f03c2eed482e3824d283f53e8e4ad1d31be8fe32dc2cb
- SHA512
  
  d9af56acc2e3408194e3331fde24f88848453ed0d13a442bd873f31246ceab538bdcbbd9aeb4e948c2ea9512dd7f303f0674c2535afcbfff9e737b1d48445683
- SSDEEP
  
  196608:ZiJHJtypF7mBSWcZuAkWwvavP1R0UB5MSr:cV7yn7mUQAkavP1CUB5MSr
Score

7^/10

vmprotect
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral11 behavioral12
- Target
  
  Pain Exist 3.9/ScintillaNET.dll
- Size
  
  1.3MB
- MD5
  
  9166536c31f4e725e6befe85e2889a4b
- SHA1
  
  f0cd8253b7e64157d39a8dc5feb8cf7bda7e8dae
- SHA256
  
  ad0cc5a4d4a6aae06ee360339c851892b74b8a275ce89c1b48185672179f3163
- SHA512
  
  113a7b77d2d557d135470787deead744d42f8292d853e2b55074e9cb3591fd045ffd10e5c81b5c15dde55861b806363568611e591ae25dcb31cf011da7e72562
- SSDEEP
  
  24576:IJSShz305vgNF7/cOCPHPSVs4Eq+QTNX+cfQdS+2MMPishd/Ws5:ti0aNvoHqs4L95X+cfx/HGC
Score

1^/10
behavioral13 behavioral14
- Target
  
  Pain Exist 3.9/discord-rpc-w32.dll
- Size
  
  289KB
- MD5
  
  a1c35901ad26a30c5b7836771b6badff
- SHA1
  
  94a57cd3452a53c209323a1ce738b9f0fb0d6087
- SHA256
  
  517240600b04d454cc5ab7b03e43c4af5a0b831fd2515f25c015a83652ad4cac
- SHA512
  
  0af73788858e85df874cc232f5d31765648ffbf53d7fdf388fc1b619f44b9ca172c3ac92c983cbeec5d22b6692cd7d3f20734c8e759fe9cf53ac2671d9c1d5e4
- SSDEEP
  
  6144:iiLsvWG766dSiKXs2Ol2JWzh0TWxwpeqN55I8pF+WVe2KN6nB/F:iiLmW8daXs2dWzx5M5I8P+WM2a6tF
Score

3^/10
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

agilenetevasion

behavioral10

agilenetevasion

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16