General

  • Target

    VELOCITY SPOOFER.rar

  • Size

    42.8MB

  • Sample

    240616-f138yavfkm

  • MD5

    ef475c4a6399a55b1a2ff5c076d4d24b

  • SHA1

    938c8bb1257d444acb4882ea631e0538acced9d3

  • SHA256

    8d2410c9bfb3a1f474b1788b1ceef5e08e46492d2f1ced167ac15ce9612cc66c

  • SHA512

    038c49b828a95b4e732e8bab27b60232fecc9d0451def2866335bb99e86dbba1b39ef6f28f9395f1d7927b30bf3ff0e58c985368e4d37821673643b595f941d8

  • SSDEEP

    786432:uPJONfCPXexFGlfFV+Tlwvgf+XcHEXFo/WEuOKWH4oJTct1KzxESyRdl:uPJsfCv8YfFUaYf+MWYWMxQ5dl

Malware Config

Targets

    • Target

      VELOCITY SPOOFER/Install These/VC_redist.x64.exe

    • Size

      24.2MB

    • MD5

      1d545507009cc4ec7409c1bc6e93b17b

    • SHA1

      84c61fadf8cd38016fb7632969b3ace9e54b763a

    • SHA256

      3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

    • SHA512

      5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104

    • SSDEEP

      786432:tSp+Ty2SfUfnbDDko5dFMYqlQbgAVLSElbmucMuZZxs6Sf:4p+Ty2SfWnHDk8FjVbfzPTq4

    Score
    4/10
    • Target

      VELOCITY SPOOFER/Install These/dxwebsetup.exe

    • Size

      288KB

    • MD5

      2cbd6ad183914a0c554f0739069e77d7

    • SHA1

      7bf35f2afca666078db35ca95130beb2e3782212

    • SHA256

      2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

    • SHA512

      ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

    • SSDEEP

      6144:kWK8fc2liXmrLxcdRDLiH1vVRGVOhMp421/7YQV:VcvgLARDI1KIOzO0

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      VELOCITY SPOOFER/Install These/net472.exe

    • Size

      1.3MB

    • MD5

      69c7a6fbd55e62f6248ef3dd15e0a4b8

    • SHA1

      8db77fae5d96bcf400e011693867e4967d6efa7e

    • SHA256

      8880ec74a4a5758a0dd7a49fdb8d0c55e7518de92eb1cc384c2e90e7f4d14cc4

    • SHA512

      fe5a16bbc234334947136e7eb062c1483a7393b9e8a64f06011b17cc5a3f3c611086d0b15e51f7a34223671188625e885d407aa1453554bd07508acbeeabaa09

    • SSDEEP

      24576:0GHL3siy9XlrSmtLvUDSRbm4Jah1rVxbMA4/9PcmkBQHLeEJJXeQ80+gIn+Ae:JL3s7V+eTUDBzrVxbMfUmkNEjXeu+3Q

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      VELOCITY SPOOFER/Serial Checker/Checker.bat

    • Size

      454B

    • MD5

      aa8220e80fb4dfd7ea8f391672218a93

    • SHA1

      6822bec95792d69c0cc94b5b62eb7cb9e30ae67c

    • SHA256

      b9ec143a28f17dbcc9a1ac14c029850fdccefa74cdf2e687186bae9c84bb1c44

    • SHA512

      b96d0170ee25cd8cf060a7c830a4a8a230af0b69bf7110713bd9160e2cb24c31cb44c0df8f0cc779bedcc5dfb57af857b9ae0e22cc9698b46d8ca930a81fcb95

    Score
    1/10
    • Target

      VELOCITY SPOOFER/VELOCITY SPOOFER/Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c19e9e6a4bc1b668d19505a0437e7f7e

    • SHA1

      73be712aef4baa6e9dabfc237b5c039f62a847fa

    • SHA256

      9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    • SHA512

      b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    • SSDEEP

      49152:6QNztBO2+VN7N3HtnPhx70ZO4+CPXOn5PThDH2TBeHjvjiBckYf+Yh/FJ3:6Ahck2z

    Score
    1/10
    • Target

      VELOCITY SPOOFER/VELOCITY SPOOFER/VELOCITYSPOOFER V3.0.3 .exe

    • Size

      18.6MB

    • MD5

      5b0959331736bb00f64fcc7c6a779e70

    • SHA1

      0e025d6575cc2cc43ed20ebd76bb16e856e3dd1f

    • SHA256

      3b8bcb947f70781010d77610ed7f7c6087668c96dc6daa6e7264910a30aef0b7

    • SHA512

      50ec7371b2f13e07cca0a7040f41391dd9502257c1cc6c0c57202d5ec46c9236c8727cbb699eeac0c05a09f43b0653ce4d51008ccf36f623962363c05c5b485a

    • SSDEEP

      393216:wRtFiEWIqtfGuraddLCQB4v6s//S7Yxk+jR4SK:wRtFiEmeuraLCQnSaszml

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks