d67d83dc5b43e45d377b44c1f96b219d5ac349886734b059b2854b74e1e8f454

General

Target

Stealth.exe
Size

9.3MB
MD5

4e50213716582b292e7f0facfa21e662
SHA1

d2b59642f77801279d88f6c8341894cd82582e21
SHA256

d67d83dc5b43e45d377b44c1f96b219d5ac349886734b059b2854b74e1e8f454
SHA512

a4cca7dfda4fa0e876fddbcfd1d9f9ec9158cdd176b0e87eb12acd8f86ff7782477efb894d879d96b36b71a6e1efe590fccecab1e62f04d4bb97db3e0e71b3cd
SSDEEP

196608:ZyBDKZCUCKWn9vzrwBNf3PNlTjAGE1ZP8QGpgt1y7zD40MVYL43IAO1:GDK8pKG1zY/TUHEQGpw1iw0E9O1

Score

9^/10

evasion trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Stealth.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Stealth.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Stealth.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Stealth.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1632	Stealth.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1272	1632	Stealth.exe	29
PID 1632 wrote to memory of 1272	1632	Stealth.exe	29
PID 1632 wrote to memory of 1272	1632	Stealth.exe	29
PID 1272 wrote to memory of 3028	1272	cmd.exe	30
PID 1272 wrote to memory of 3028	1272	cmd.exe	30
PID 1272 wrote to memory of 3028	1272	cmd.exe	30
PID 1272 wrote to memory of 3060	1272	cmd.exe	31
PID 1272 wrote to memory of 3060	1272	cmd.exe	31
PID 1272 wrote to memory of 3060	1272	cmd.exe	31
PID 1272 wrote to memory of 1088	1272	cmd.exe	32
PID 1272 wrote to memory of 1088	1272	cmd.exe	32
PID 1272 wrote to memory of 1088	1272	cmd.exe	32
PID 1632 wrote to memory of 3004	1632	Stealth.exe	33
PID 1632 wrote to memory of 3004	1632	Stealth.exe	33
PID 1632 wrote to memory of 3004	1632	Stealth.exe	33

C:\Users\Admin\AppData\Local\Temp\Stealth.exe
"C:\Users\Admin\AppData\Local\Temp\Stealth.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Stealth.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Stealth.exe" MD5
    3⤵
    PID:3028
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:3060
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-1-0x00000000777A0000-0x00000000777A2000-memory.dmp

Filesize
8KB

Download
memory/1632-0-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-2-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-3-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-4-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-7-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-8-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-9-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-10-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-11-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-12-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-13-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-14-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-15-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-16-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-17-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-18-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-19-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-20-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download
memory/1632-21-0x0000000140000000-0x00000001417FA000-memory.dmp

Filesize
24.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads