Overview

overview

10

Static

static

7

Spoofer.exe

windows11-21h2-x64

1

cleaners/a...er.exe

windows11-21h2-x64

9

cleaners/cleaner.bat

windows11-21h2-x64

10

spoofers/C...32.exe

windows11-21h2-x64

1

spoofers/C...64.exe

windows11-21h2-x64

1

spoofers/C...64.sys

windows11-21h2-x64

1

spoofers/g...64.sys

windows11-21h2-x64

1

spoofers/s...er.bat

windows11-21h2-x64

1

Resubmissions

10-07-2024 02:30

240710-czl2gstcke 10

20-06-2024 12:39

240620-pvzs1axflf 10

20-06-2024 12:36

240620-pswcss1hrr 7

20-06-2024 12:35

240620-psqgjs1hrm 10

20-06-2024 12:33

240620-prd25axdpg 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cleaners.zip

  • Size

    4.3MB

  • Sample

    240620-pvzs1axflf

  • MD5

    89daae512bcf605f191336ef8a461b75

  • SHA1

    747f3997bf80e6083c2a4a8032262c440ae4de8d

  • SHA256

    4ee85019c1ae4d1abf8ea1908f635339d0a4af88ba185dc30e1104e68c7c902e

  • SHA512

    7c280cb9a325311a1e8b575bcb99a26590db2435633a78da3383d177f4c93d1744d842e8c792b921d80aef7305b58fa83f5caa784466d9393d15024827611ed7

  • SSDEEP

    98304:/Bk7AtkbjSTuW+wI9a7OCq4MrdN0wIvQxk5XxeJMWrd6B9JO:JRW2ar4X/MP0tvOR5SPO

Score
10/10
evasionexecutionpersistenceprivilege_escalationthemidatrojan

Malware Config

Targets

    • Target

      Spoofer.exe

    • Size

      24KB

    • MD5

      7a4a3fea89bfe8810ef9835273d6fc84

    • SHA1

      cd411d7d4eed7b622ca2d1ea5495055da76216ee

    • SHA256

      2d9b399a3a584808b4bd38d9f6a12752e2b02875f92252f944a5bd7bf129e2f0

    • SHA512

      a921faf7de2ae61421432ba176ef7254f005bc052d41054019d1fbc5714c213266c598a64cd4c3edd4cec35130e3ce8d7595bb2bcc7c669a20d69b0ca93277d4

    • SSDEEP

      384:IfedtZWjBkCUo6tqt7glQcpF3dPBlcR8lfZKlD04tEGD4PTeB2DKiES3M+f:KVgtrYD0iEG4SBWUS3f

    Score
    1/10
    behavioral1

    • Target

      cleaners/applecleaner.exe

    • Size

      3.6MB

    • MD5

      f96eb2236970fb3ea97101b923af4228

    • SHA1

      e0eed80f1054acbf5389a7b8860a4503dd3e184a

    • SHA256

      46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

    • SHA512

      2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

    • SSDEEP

      98304:z7m+ij9HD0+jCihNRkl/W6aG/wcKnfu8NUT6Ko:e+y4ihkl/Wo/afHPb

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

    • Target

      cleaners/cleaner.bat

    • Size

      3.2MB

    • MD5

      0bef79984a785d284e225d3576239802

    • SHA1

      0a759883c5cd8822f269eca241c4dc8c43d86220

    • SHA256

      33da2dd5c5ef66be92bc9024f58e5b967746ff2f4b693efe68e98df7da6d4c80

    • SHA512

      d5d5aa1e7b3a46af0fd2f94eb5c45c451d3dd3a99debfba1fcda4f704dd3bb54d15fe7d4cda84fa5ca049a81115de73a583aa32da35db862ff6f00799f7700ad

    • SSDEEP

      49152:ZTOB4ynYygOvXsMruROZyUpWvWOLZkOReK:1

    Score
    10/10
    evasionexecutionpersistenceprivilege_escalation

    • Disables service(s)

      evasionexecution

    • Server Software Component: Terminal Services DLL

      persistence

    • Stops running service(s)

      evasionexecution

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Drops file in System32 directory

    behavioral3

    • Target

      spoofers/CupFixerx32.EXE

    • Size

      451KB

    • MD5

      feac8b5c2d2b99e7a3c8f1ba41ba3472

    • SHA1

      002bd5344c44f288c22e69b5e2846d515bfa429e

    • SHA256

      7fce635cb66dc1286856a1f1f281b90431288be4a9647a8e0cbd2a0346748b95

    • SHA512

      b95b83545ca45453e6d64b7c2cf276932eded9658187aa91dcff948e59c313ae071b0059a481cd7b01aae778fc4fda71aa830fb99b84197fb17e03e9a10e8e68

    • SSDEEP

      6144:Traq37wODH1cNaej2JMBO+1ObTq45kCNYczkF77TlfFBYdHJz6:B7wsAKJMBAFNVkF77Rfz

    Score
    1/10
    behavioral4

    • Target

      spoofers/CupFixerx64.exe

    • Size

      377KB

    • MD5

      b4eceb90668db85712e66fd493ce4ca5

    • SHA1

      951f3e9503b9b31a0c944355870dbfea0df32441

    • SHA256

      bf8df68bbac80b4382206917b9bb46e8fd6cf76f6acd7374a3e6f5470681597c

    • SHA512

      b912554fd863b237edd9f6518676ca9a190b7c7dc54024973a6062da8bf5ce8c6ad16219032cb0ed1ade7d2b5a855a6dc2aeb71c0ddde476a8bec64068ba0284

    • SSDEEP

      6144:4NFU+vVycygjjsp5dcAONdA22xVK8LRPo4WBIeX+oD9/nwLk9C9I6i:4bygjjsrdcAONdA22xVK8LRPo4WGkD9Q

    Score
    1/10
    behavioral5

    • Target

      spoofers/CupFixerx64.sys

    • Size

      27KB

    • MD5

      2b3e0db4f00d4b3d0b4d178234b02e72

    • SHA1

      622e7bffda8c80997e149ac11492625572e386e0

    • SHA256

      8c748ae5dcc10614cc134064c99367d28f3131d1f1dda0c9c29e99279dc1bdd9

    • SHA512

      8f200a2e13aa8a977c94509af5a0fe20e7964a7611e11aaa5ecd5aba73a60275f6f57ed3a6861b82832babfcfe5ec90f0c9067c65ef48f6c7fce69f7ad87baff

    • SSDEEP

      384:FgJ1Nv1Z/my+fmTOlfdi0Z909luSzJnabHVxrG52rHu1HGf/vrkd1SUNygUKLVe6:2n9+pli0X09luuJ4j/2HGrJhEJPxHP

    Score
    1/10
    behavioral6

    • Target

      spoofers/gsoftgmx64.sys

    • Size

      29KB

    • MD5

      f22740ba54a400fd2be7690bb204aa08

    • SHA1

      5812387783d61c6ab5702213bb968590a18065e3

    • SHA256

      65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

    • SHA512

      ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

    • SSDEEP

      384:qvOTI5HIPy54ygZOq0HMMKf69JG8QnuOfZFnJtQSZsHLPK6jjMYiWPFRUI5xl9Wn:qvsUoK54ZCMMb9U82uO7Jt6PKg4YHUc+

    Score
    1/10
    behavioral7

    • Target

      spoofers/serial_checker.bat

    • Size

      437B

    • MD5

      0c088b6adc55c20fc375badef6f7e9a7

    • SHA1

      37c865ebfe537b94534844281e9086462f3e2462

    • SHA256

      51f783d41ad3a807344eb9550d65cb4638793aac71f4eb4a1a11414b24e339e1

    • SHA512

      7f82c647413f997a537148ab7d1e8a5cff9fef18561783f329485dbb67ab76a2a8defa0a7304feb7e1e79645b50b8cb2d4a069ff3ec668542fdefb1adbde6f5d

    Score
    1/10
    behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Tasks