Overview

overview

9

Static

static

3

Bootstrapper(2).exe

windows11-21h2-x64

9

Resubmissions

26-07-2024 21:57

240726-1t7m1azhkg 9

26-07-2024 21:52

240726-1q4ryaxapj 9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bootstrapper(2).exe

  • Size

    795KB

  • Sample

    240726-1t7m1azhkg

  • MD5

    a7f3293b177a63f6c50b5560e729cbff

  • SHA1

    4885073e4881cffc5c5155de720aa65755418fe8

  • SHA256

    da17868f107954124c0953fd1cb37ac8ed4e78460905e83d6402b966a77ee7dc

  • SHA512

    70b3431b238457a24e66914d0059e7e8e2dc4f79ac49c9a9c510214b8bc1279af6947288442060ac02c3cf3c863c144ef95219006097d2e59183586f7f701438

  • SSDEEP

    12288:Hs0xF36Z1LyI6QQsJNOoRQ1jt/Nppxu29CHWzO:xxJ6Z1L5J8oRQ1jt/Nppxv9C2

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Targets

    • Target

      Bootstrapper(2).exe

    • Size

      795KB

    • MD5

      a7f3293b177a63f6c50b5560e729cbff

    • SHA1

      4885073e4881cffc5c5155de720aa65755418fe8

    • SHA256

      da17868f107954124c0953fd1cb37ac8ed4e78460905e83d6402b966a77ee7dc

    • SHA512

      70b3431b238457a24e66914d0059e7e8e2dc4f79ac49c9a9c510214b8bc1279af6947288442060ac02c3cf3c863c144ef95219006097d2e59183586f7f701438

    • SSDEEP

      12288:Hs0xF36Z1LyI6QQsJNOoRQ1jt/Nppxu29CHWzO:xxJ6Z1L5J8oRQ1jt/Nppxv9C2

    Score
    9/10
    discoveryevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Blocklisted process makes network request

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Network Share Discovery

1
T1135

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks