1a62ed192ff4a7bd746fa24c8d7cd96578a4c7e9f0d4a6651a2a3d0baff9c433 | Triage

Submit
Reports

Overview

overview

9

Static

static

7

AppleCleaner.exe

windows7-x64

9

AppleCleaner.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

Target

AppleCleaner.exe
Size

3.6MB
Sample

240808-y4dfssygjm
MD5

da2176757b2fead6539243b42057cb3c
SHA1

e14195bd4066e90c821caabd6ca63a173c1ca802
SHA256

1a62ed192ff4a7bd746fa24c8d7cd96578a4c7e9f0d4a6651a2a3d0baff9c433
SHA512

b9d13ecd8679064bc4cd9dbd823ba5367aebe13177c9ed5e6c6c40d70823ed32977bd40cde73ccfaa49f6f32b19b4f06f9396beb145bd774891d4290873c735d
SSDEEP

98304:gmQu0iNucsADierKQYRc4sNHOZjKg5tkdv+HR5+a:fQabDieOQ944HOZjp5tkx+x3

Score

9^/10

discovery evasion persistence privilege_escalation themida trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

AppleCleaner.exe

Resource

win7-20240704-en

discovery evasion themida trojan

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

AppleCleaner.exe

Resource

win10v2004-20240802-en

discovery evasion persistence privilege_escalation themida trojan

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Targets

- Target
  
  AppleCleaner.exe
- Size
  
  3.6MB
- MD5
  
  da2176757b2fead6539243b42057cb3c
- SHA1
  
  e14195bd4066e90c821caabd6ca63a173c1ca802
- SHA256
  
  1a62ed192ff4a7bd746fa24c8d7cd96578a4c7e9f0d4a6651a2a3d0baff9c433
- SHA512
  
  b9d13ecd8679064bc4cd9dbd823ba5367aebe13177c9ed5e6c6c40d70823ed32977bd40cde73ccfaa49f6f32b19b4f06f9396beb145bd774891d4290873c735d
- SSDEEP
  
  98304:gmQu0iNucsADierKQYRc4sNHOZjKg5tkdv+HR5+a:fQabDieOQ944HOZjp5tkx+x3
Score

9^/10

discovery evasion themida trojan persistence privilege_escalation
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Manipulates Digital Signatures
  Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
- Modifies Windows Firewall
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Create or Modify System Process

Windows Service

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Subvert Trust Controls

SIP and Trust Provider Hijacking

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Network Service Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryevasionthemidatrojan

behavioral2

discoveryevasionpersistenceprivilege_escalationthemidatrojan

© 2018-2025

Terms | Privacy