General

  • Target

    NovaWare_Perm_spoof.ZIP

  • Size

    19.7MB

  • Sample

    240616-p8hfwayapj

  • MD5

    00a6da4281a202370a52fef4cf4d7421

  • SHA1

    a75b12ceef4459056dd19cbfd1c206e433473e38

  • SHA256

    ef6d1d2eee80126ce4732424d575f955ec8c3906aeb0fbe8e75e457aa6bfb23e

  • SHA512

    9c17791b5037794f457923f14f878e5bcdd10fc72be0790daf1c2ebafd4f4ad6c9615cef6f3812a75e553c7c0fccac5f5c994d2e5385bb39ff2c0aa8d3ad1512

  • SSDEEP

    393216:f3D+6eYyhkxUbgvy8Euf7APnntluciSHHWB1fDaeWeYH/r2ks1lcaik4I:fT6KR68fent8hhB1fDa7z2nzAI

Malware Config

Targets

    • Target

      perm/Serial Checker/Checker.bat

    • Size

      454B

    • MD5

      aa8220e80fb4dfd7ea8f391672218a93

    • SHA1

      6822bec95792d69c0cc94b5b62eb7cb9e30ae67c

    • SHA256

      b9ec143a28f17dbcc9a1ac14c029850fdccefa74cdf2e687186bae9c84bb1c44

    • SHA512

      b96d0170ee25cd8cf060a7c830a4a8a230af0b69bf7110713bd9160e2cb24c31cb44c0df8f0cc779bedcc5dfb57af857b9ae0e22cc9698b46d8ca930a81fcb95

    Score
    1/10
    • Target

      perm/perm/Guna.UI2.dll

    • Size

      2.1MB

    • MD5

      c97f23b52087cfa97985f784ea83498f

    • SHA1

      d364618bec9cd6f8f5d4c24d3cc0f4c1a8e06b89

    • SHA256

      e658e8a5616245dbe655e194b59f1bb704aaeafbd0925d6eebbe70555a638cdd

    • SHA512

      ecfa83596f99afde9758d1142ff8b510a090cba6f42ba6fda8ca5e0520b658943ad85829a07bf17411e26e58432b74f05356f7eaeb3949a8834faa5de1a4f512

    • SSDEEP

      49152:cvrqKk8q2gqi2OXCt6kuSw9g8PTNTN/23uxjPHEiCAjFcm:cvrqZr

    Score
    1/10
    • Target

      perm/perm/ilikeniggers.exe

    • Size

      19.3MB

    • MD5

      f20d080bc5344dbbf37afa5779fa0604

    • SHA1

      7f774ed6c8a10d38345739318d404439587071a4

    • SHA256

      9e2d897d5809436fb686999370dcdac42656da3bf9e82e1ef7120ed62b3303b0

    • SHA512

      8e15ab809ac8495711adb85c37d7819ae1b463a8b53fd2790bfc7a2fff133a39c48fa6f8ed6c3587b0b55d8bbea30071735e0f66bd25b62202762dcd2d9e2acd

    • SSDEEP

      393216:y0OYis2CulNrako7o9d3jQzW+1tq2G6gwFHF+FN/NCNeA9emVea:+dFmkoU9dTQzWatq2G6JluN/NCNx9eY

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • AgentTesla payload

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks