General

  • Target

    PS5Emux_v1.1.0.zip

  • Size

    15.5MB

  • Sample

    240610-m5gztsha38

  • MD5

    48f286657c7576a5915a2b23f7971e45

  • SHA1

    23b013cb870906ed46420cf7aa00f2d45374c13a

  • SHA256

    8c9f450453ece5ce1a01b2867c7e4e85be29ae8ef4430c095019d87d40361b96

  • SHA512

    fdc64902098a92377bbcd508f38ff48d89cc43f9512446fff131b2b2f493614c9e262601f35f5f1585b3224e4952dd5db60008131e28109007515c465bcbadad

  • SSDEEP

    393216:RyG8fUPWiFZNU8OeXUHUqx112yEloYM1wgWx4mSiH2m3f3WJM5:58fcWMZNaQqv1Ilo184mv5Z5

Malware Config

Targets

    • Target

      installer.zip

    • Size

      15.5MB

    • MD5

      da36fb3463fc5672fb4e9ae0e63c8b82

    • SHA1

      aaebcdc5aebb6ab15c4437c22bb40a275b295982

    • SHA256

      a01e4ab460c96ccb58a40709703088bc997395490ac5fa9eae4d143f0e7e9b5d

    • SHA512

      1da7fd3d18d1e5a48182b5ae0a4642c762d5f771748271dd17b9281ec12fb07ee6c06c227fc34ef3d59d75a7f505715969e1c136ee8efd7d97b7fbc50ed2ad45

    • SSDEEP

      393216:ZyG8fUPWiFZNU8OeXUHUqx112yEloYM1wgWx4mSiH2m3f3WJMD:B8fcWMZNaQqv1Ilo184mv5ZD

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks