Overview

overview

9

Static

static

7

GADAR.exe

windows7-x64

9

GADAR.exe

windows10-1703-x64

9

GADAR.exe

windows10-2004-x64

9

GADAR.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    92s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GADAR.exe

  • Size

    47.9MB

  • MD5

    2814e71ab1cdf00994521f2c95032c73

  • SHA1

    3537800a401c0a8289209583639e542e180d603e

  • SHA256

    af09f2db4951c00ccfb6780eea82915afd41d72698e9abadbb66fe9b7a27a7ca

  • SHA512

    d07d453ec7d82f0f8e307cef180200d9e8bacad872d95dce06810962ef2b59e02057471899865a3a3eefc2e6d4ebce5ed2938636bb132e7c7401fa6f2fd65bf9

  • SSDEEP

    786432:mjy7AtGx1lJZ4FT7tS4H1YfBIMcTJS6s0UYZua3vsEOBkTCYKiDYYGRRqy:ZAMx1lJ0tDHafBjcd2MsF8sYGr

Score
9/10
agilenetevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 7 IoCs
  • Obfuscated with Agile.Net obfuscator 4 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GADAR.exe
    "C:\Users\Admin\AppData\Local\Temp\GADAR.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1984
      2⤵
      • Program crash
      PID:3180
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3208 -ip 3208
    1⤵
      PID:2212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\SIKKA_V2.exe.config
      Filesize

      534B

      MD5

      4b14782cb47160b63edb3a1374a75347

      SHA1

      0632cf59cf6ecf19847e241a81b8ae4ef4c41864

      SHA256

      a5991e80a38e2aa164e09beb42cb87f70936f04dfa59370b0dbcf633eecda089

      SHA512

      836a3f35ef5237bce387e1b595def60d07e1a0c7d1a4b0bed3e12c3eb6e4ac44c2a492409581f8c19334bb7a5dedbf885be4e2c2ff74987630892b96ebdccb5c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\config.zip
      Filesize

      6.8MB

      MD5

      acfc66bdc0874b0b5aa95aa4b704ee5a

      SHA1

      780a2408b52ed2b9d24867440c8b9ee9fdf301cf

      SHA256

      bba273900f9564a3af9dcedf90e43f5960a431f56927b68f5d0c29e833c64ed6

      SHA512

      8836fe397e72030cadc9d78c7c7dc0b2ac5125b0b5abb12256f65c4f8b37a5cbaf29d149e3b00687ff278e2a091ccd034a6ffab3c3c1af44a0f3ec02d5428e45

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\evb669A.tmp
      Filesize

      1KB

      MD5

      c40ae7a442636eea2c869669c8d819af

      SHA1

      836c228f24f25133fd8a1242b12691c80aa0bef0

      SHA256

      541ce6acba5c23906c51894f9550235eaf885f96a590fd7943b7dd68dfb73f68

      SHA512

      8d5e5b0af1b926cb5c621800455518f3505bae3508d5583e41b1fe72c8ee32d6d5990ce82bb7f86ad5dc87f68d88894095e27d1cdcd5d92aea73e99b81b1b3ab

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\evb8D5D.tmp
      Filesize

      1KB

      MD5

      aadec36a79a70c893d266252c60707b0

      SHA1

      fe0e0eb278749fe39e80ed001afd4de42f41c8b5

      SHA256

      e720344d50f5326d561fe16ac7ce2168ef808ec180e6f2fdfbdf4ada9af5d6bd

      SHA512

      10a03b2650c3870409687527a26279c11c56b6fb99adb884e69ef025361f5e1440481e8d239c1bbbb44218c66b1eae67f5f4d241663fcee70d70c8d36e8f23b2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\evb9B1C.tmp
      Filesize

      1KB

      MD5

      6ceb6e3be571bdaee3147adb325994f0

      SHA1

      25b8919e8c917c7d31436a4555d391306b96a3a3

      SHA256

      3705ac3ba0589b10770f0fb31000372e8f0ccecd2397c96db3ad3c6b986fd002

      SHA512

      339a1855a13fb844606e1950e430b5593528ec67da884d1b5a172a7740904daf1aaf6ae0cc0316638582742d1189720baba7f75030355ef706031074afd4d772

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll
      Filesize

      1.5MB

      MD5

      a0d07d0e354c7760497ef7ea6227b937

      SHA1

      10cfc3ff37b8b492a2130d1cda2ccfa8788a9650

      SHA256

      f39fc4d52b3e9e1a8d30fb8e2ffd320c1b54a5d5c5ad2444e57f0b3642cdc05e

      SHA512

      908c234cb616edc87a76d9153a6da8f2a1013c477602ec2068dc598592cd1355569f42989b1f4b29ab43f9dde3912dbfd9bfb01eaedbf6960277d629f75e24eb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\x86\SQLite.Interop.dll
      Filesize

      1.2MB

      MD5

      20f57cdc2bbf1921aeafc24a3550bafb

      SHA1

      e20d2ad819b47f58ebeac880bd10c04f2c7c368c

      SHA256

      b1d183195f39d03573312ca6b232869b2d06b2dd9afb8e7896f61eee3ee87224

      SHA512

      9a2f663dfa528ce5dd27dfad3717f146fd7074de30916c675488f7b4e718bf0aa0b5007b937ff1fa32acdd7c7cb1b4166c5ef0744aa599370b01c33076429fd3

      Download Submit
    • memory/3208-99-0x0000000008460000-0x00000000084FC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3208-112-0x0000000000C00000-0x00000000022EA000-memory.dmp
      Filesize

      22.9MB

      Download
    • memory/3208-17-0x00000000FFB50000-0x00000000FFD3F000-memory.dmp
      Filesize

      1.9MB

      Download
    • memory/3208-18-0x0000000073FF0000-0x00000000747A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3208-20-0x0000000007530000-0x0000000007E65000-memory.dmp
      Filesize

      9.2MB

      Download
    • memory/3208-21-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-23-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-24-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-22-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-25-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-27-0x0000000072A00000-0x0000000072A89000-memory.dmp
      Filesize

      548KB

      Download
    • memory/3208-26-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-95-0x0000000008900000-0x0000000008EA4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3208-96-0x0000000008350000-0x00000000083E2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3208-97-0x0000000007630000-0x0000000007652000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3208-98-0x00000000083F0000-0x0000000008456000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3208-0-0x0000000000C00000-0x00000000022EA000-memory.dmp
      Filesize

      22.9MB

      Download
    • memory/3208-13-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-105-0x0000000008EB0000-0x000000000943E000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3208-111-0x0000000009440000-0x00000000099CE000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3208-104-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-9-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-113-0x0000000073FF0000-0x00000000747A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3208-114-0x0000000009440000-0x00000000099CE000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3208-115-0x0000000009440000-0x00000000099CE000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3208-116-0x0000000009D20000-0x0000000009D68000-memory.dmp
      Filesize

      288KB

      Download
    • memory/3208-117-0x0000000009200000-0x0000000009208000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3208-118-0x0000000077172000-0x0000000077173000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3208-6-0x0000000073FF0000-0x00000000747A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3208-135-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3208-129-0x0000000009D70000-0x0000000009DB4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3208-128-0x0000000009D70000-0x0000000009DB4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3208-126-0x0000000073FF0000-0x00000000747A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3208-139-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-141-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/3208-140-0x0000000073FF0000-0x00000000747A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3208-142-0x0000000073FF0000-0x00000000747A0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/3208-1-0x0000000077172000-0x0000000077173000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3208-4-0x0000000000C00000-0x000000000229C000-memory.dmp
      Filesize

      22.6MB

      Download
    • memory/3208-2-0x0000000077173000-0x0000000077174000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3208-3-0x0000000073FFE000-0x0000000073FFF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3208-187-0x0000000010000000-0x000000001149D000-memory.dmp
      Filesize

      20.6MB

      Download
    • memory/3208-190-0x0000000000C00000-0x000000000229C000-memory.dmp
      Filesize

      22.6MB

      Download
    • memory/3208-191-0x0000000073FF0000-0x00000000747A0000-memory.dmp
      Filesize

      7.7MB

      Download