bf782827fee0c2350eef32b486f7750a530d0e253187f85dd6b52af0b30c8a85 | Triage

Submit
Reports

Overview

overview

9

Static

static

7

NEXU$.exe

windows7-x64

9

NEXU$.exe

windows10-1703-x64

9

NEXU$.exe

windows10-2004-x64

9

NEXU$.exe

windows11-21h2-x64

9

Sharing

General

Target

NEXU$.exe
Size

27.7MB
Sample

240506-lrzr2sgb5s
MD5

9f7d0bfe3985c340f42f039fbf9c52af
SHA1

8769d102239db1f9befeaa67b25a7c12ea9ccf2b
SHA256

bf782827fee0c2350eef32b486f7750a530d0e253187f85dd6b52af0b30c8a85
SHA512

988f00c929d7d01b887dc511e586cc75a14180b8b65f34cc293bb998174b667cd488d4e4fc777c183f0c29c744cf649fa520f7265e13486226f3f074cdaf3f81
SSDEEP

786432:TBvc42en9y+aJtShY9Q6SZKb0SReIMrRRMVb:T+cUSG8Zw09YVb

Score

9^/10

agilenet evasion themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

NEXU$.exe

Resource

win7-20240221-en

agilenet evasion themida trojan

windows7-x64

18 signatures

300 seconds

Behavioral task

behavioral2

Sample

NEXU$.exe

Resource

win10-20240404-en

agilenet evasion themida trojan

windows10-1703-x64

17 signatures

300 seconds

Behavioral task

behavioral3

Sample

NEXU$.exe

Resource

win10v2004-20240226-en

agilenet evasion themida trojan

windows10-2004-x64

18 signatures

300 seconds

Behavioral task

behavioral4

Sample

NEXU$.exe

Resource

win11-20240419-en

agilenet evasion themida trojan

windows11-21h2-x64

17 signatures

300 seconds

Malware Config

Targets

- Target
  
  NEXU$.exe
- Size
  
  27.7MB
- MD5
  
  9f7d0bfe3985c340f42f039fbf9c52af
- SHA1
  
  8769d102239db1f9befeaa67b25a7c12ea9ccf2b
- SHA256
  
  bf782827fee0c2350eef32b486f7750a530d0e253187f85dd6b52af0b30c8a85
- SHA512
  
  988f00c929d7d01b887dc511e586cc75a14180b8b65f34cc293bb998174b667cd488d4e4fc777c183f0c29c744cf649fa520f7265e13486226f3f074cdaf3f81
- SSDEEP
  
  786432:TBvc42en9y+aJtShY9Q6SZKb0SReIMrRRMVb:T+cUSG8Zw09YVb
Score

9^/10

agilenet evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Subvert Trust Controls

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

agilenetevasionthemidatrojan

behavioral2

agilenetevasionthemidatrojan

behavioral3

agilenetevasionthemidatrojan

behavioral4

agilenetevasionthemidatrojan

© 2018-2024

Terms | Privacy