Overview

overview

10

Static

static

7

cryptolaemus

windows10-2004-x64

10

cryptolaemus

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    29a45face7eab6c08a8936739ddd8b63116ed23e5638eee914734080013acb29

  • Size

    6.2MB

  • Sample

    240527-trjd3aba86

  • MD5

    ca428ee59cb833e7a19b66e9f935d4c8

  • SHA1

    60d5d626f50a0dcd32f8931abe9d3b121e0fb71a

  • SHA256

    29a45face7eab6c08a8936739ddd8b63116ed23e5638eee914734080013acb29

  • SHA512

    d6afec966732970e0ec73187e6f01c093f0abe8e99770009b0fbf45dcde2f9ea267ab8bf1422e68c2d3b39d4085274a6af5e836a7bd768c2dcdce0353b712771

  • SSDEEP

    196608:/h9xIN48LD6xSg8sR5AX0zjTy7q29kGIeokYuX4Nzc0JyBo6d/RBikeFeKigysTc:ZLIG8Lhg8sR5K0zjTy7q29kGIeokYuXN

Score
10/10
privateloaderevasionloaderthemidatrojan

Malware Config

Targets

    • Target

      29a45face7eab6c08a8936739ddd8b63116ed23e5638eee914734080013acb29

    • Size

      6.2MB

    • MD5

      ca428ee59cb833e7a19b66e9f935d4c8

    • SHA1

      60d5d626f50a0dcd32f8931abe9d3b121e0fb71a

    • SHA256

      29a45face7eab6c08a8936739ddd8b63116ed23e5638eee914734080013acb29

    • SHA512

      d6afec966732970e0ec73187e6f01c093f0abe8e99770009b0fbf45dcde2f9ea267ab8bf1422e68c2d3b39d4085274a6af5e836a7bd768c2dcdce0353b712771

    • SSDEEP

      196608:/h9xIN48LD6xSg8sR5AX0zjTy7q29kGIeokYuX4Nzc0JyBo6d/RBikeFeKigysTc:ZLIG8Lhg8sR5K0zjTy7q29kGIeokYuXN

    Score
    10/10
    privateloaderevasionloaderthemidatrojan

    • Modifies firewall policy service

      evasion

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks