af09f2db4951c00ccfb6780eea82915afd41d72698e9abadbb66fe9b7a27a7ca | Triage

Submit
Reports

Overview

overview

9

Static

static

7

GADAR.exe

windows7-x64

9

GADAR.exe

windows10-1703-x64

9

GADAR.exe

windows10-2004-x64

9

GADAR.exe

windows11-21h2-x64

9

Sharing

General

Target

GADAR.exe
Size

47.9MB
Sample

240512-h8eawsed6v
MD5

2814e71ab1cdf00994521f2c95032c73
SHA1

3537800a401c0a8289209583639e542e180d603e
SHA256

af09f2db4951c00ccfb6780eea82915afd41d72698e9abadbb66fe9b7a27a7ca
SHA512

d07d453ec7d82f0f8e307cef180200d9e8bacad872d95dce06810962ef2b59e02057471899865a3a3eefc2e6d4ebce5ed2938636bb132e7c7401fa6f2fd65bf9
SSDEEP

786432:mjy7AtGx1lJZ4FT7tS4H1YfBIMcTJS6s0UYZua3vsEOBkTCYKiDYYGRRqy:ZAMx1lJ0tDHafBjcd2MsF8sYGr

Score

9^/10

agilenet evasion themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

GADAR.exe

Resource

win7-20240419-en

agilenet evasion themida trojan

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

GADAR.exe

Resource

win10-20240404-en

agilenet evasion themida trojan

windows10-1703-x64

9 signatures

150 seconds

Behavioral task

behavioral3

Sample

GADAR.exe

Resource

win10v2004-20240508-en

agilenet evasion themida trojan

windows10-2004-x64

10 signatures

150 seconds

Behavioral task

behavioral4

Sample

GADAR.exe

Resource

win11-20240426-en

agilenet evasion themida trojan

windows11-21h2-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  GADAR.exe
- Size
  
  47.9MB
- MD5
  
  2814e71ab1cdf00994521f2c95032c73
- SHA1
  
  3537800a401c0a8289209583639e542e180d603e
- SHA256
  
  af09f2db4951c00ccfb6780eea82915afd41d72698e9abadbb66fe9b7a27a7ca
- SHA512
  
  d07d453ec7d82f0f8e307cef180200d9e8bacad872d95dce06810962ef2b59e02057471899865a3a3eefc2e6d4ebce5ed2938636bb132e7c7401fa6f2fd65bf9
- SSDEEP
  
  786432:mjy7AtGx1lJZ4FT7tS4H1YfBIMcTJS6s0UYZua3vsEOBkTCYKiDYYGRRqy:ZAMx1lJ0tDHafBjcd2MsF8sYGr
Score

9^/10

agilenet evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Subvert Trust Controls

Install Root Certificate

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

agilenetevasionthemidatrojan

behavioral2

agilenetevasionthemidatrojan

behavioral3

agilenetevasionthemidatrojan

behavioral4

agilenetevasionthemidatrojan

© 2018-2024

Terms | Privacy