83cd4f2b93b18af2820d0cacaa810df2332dc4771894a394dfd323bb44f06b3f

Sharing

Copy URL

Twitter E-mail

General

Target

Themida_x32_x64_v3.0.4.0_Repacked.rar
Size

54.4MB
Sample

240809-2b4ztssdlp
MD5

3f5e3502831c5969b5a5aafc39ad4da5
SHA1

50e289e000b766e1e53d33e7e05e5820d362467b
SHA256

83cd4f2b93b18af2820d0cacaa810df2332dc4771894a394dfd323bb44f06b3f
SHA512

3c12b1e000c5026479b004630ad4675ef973b9e62a73c789014c80d953e1585158d2ffb536713f35c376435685927022bdfeed8064865ce1916fd7835cd18e39
SSDEEP

1572864:StD/TgxSl8y9nEekvnNagrrshHVA959mV3e/lAHOw:S9gC8aEekvVIAdbAHOw

Score

9^/10

Malware Config

Targets

- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/Themida64.exe
- Size
  
  26.5MB
- MD5
  
  1a82ca1cefa8f8149e4863d12bffc208
- SHA1
  
  0f3afb7c7a2a43a7d491d8470f93387f28726c57
- SHA256
  
  6241962efc369ae229a335c6a9780c649d9fa9cb822f86cea04cd9ac0f9a6ae8
- SHA512
  
  185a0e528fbe688c37f1e40e5491e8e1231179c8fc4c24ea443c7d77a90ce0956da7d4cf0104daa352ac2ffb871b0e37a9711492e6565f2b322b2389bf4f5748
- SSDEEP
  
  786432:jPonEGicqyyx3O/3aqF5yoR8be+uwEfK9:jwnXicI3O/nke+uwEfK9
Score

9^/10

bootkit discovery evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaHelp.chm
- Size
  
  1.5MB
- MD5
  
  5a94908701ee341f58ffec7edd19506d
- SHA1
  
  d351b67b7c7624956239706035ef61cd6a1fb886
- SHA256
  
  e84720dba3352a0a0acdfca352cb11a37d8cdce40fb1c8b48e17375a2aae83c2
- SHA512
  
  219b996bf62e060c3e516705a8532dcf257f278b8f336bbaa12ed3aac7f22220d6bf562e709c177391b0d53167f72fd765b31d565e37c9135d782c007aed911b
- SSDEEP
  
  24576:SrjDSVnRAyjXTizAYvQ2D+0O49BXVidLS61DrWQuctptqw3GZUXBlr4V5idCXneh:SfDIRJ3izRQ2DL7XVidn1DCJWpbnT8Ve
Score

1^/10
behavioral3 behavioral4
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/ExamplesSDK/Plugins/Examples/C/Debug/TestPlugin.dll
- Size
  
  69KB
- MD5
  
  526b73cc04d8515837a5ca78702e210c
- SHA1
  
  e3fecadd4ea461cd00c9eb594bade03eb4dbc979
- SHA256
  
  1cb663b75bebe168a4ce24f6f48f23c3eb0715ed305ec500032dfe5803daf331
- SHA512
  
  1eaf85eb691ef238ea6265ee7817836dcf3b927cbc476cbf925e12fb19921e07281164987ddecbb2d2b2fae9eb35d2cbf0fe3794015a310e9e607ad3efffbdc5
- SSDEEP
  
  768:pBwRJJM9RALILLSsPafOwRI02EiO8OaAP6Bu4oPhbYfY/UBBHNEDoiNx:pBwRJJM9RE4/axRPa8nLbv/UP8
Score

3^/10

discovery
behavioral5 behavioral6
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/ExamplesSDK/Plugins/Examples/C/x64/Debug/TestPlugin.dll
- Size
  
  84KB
- MD5
  
  8fc6575d7e2952e6396166709610f994
- SHA1
  
  d090aa4b3ec64f8908b87b08629b9c3338baaced
- SHA256
  
  9588f80a5212d1c043e8a0e541dc6bec4f6ad9ead93995580c1785c75d77da1a
- SHA512
  
  d045db8187c1693b5c9f7d4880faf200cc2dca070401fd843b8dd64c078eab00d3b213d6426041bf99c0a1569bbb8acf4167261c952689ac26cec9131a39751c
- SSDEEP
  
  768:mlZwkNwEACLT/s3/e/9NBUl8WSWHCsedpPbGFzCTPmPU3UvX9kDvtucJkFtu1PJH:mbJTEveLQt2PbGBCDmPU3UPStulFIxH
Score

1^/10
behavioral7 behavioral8
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/ExamplesSDK/Plugins/Examples/Delphi/TestPlugin.dll
- Size
  
  781KB
- MD5
  
  a0c11ec5a3660bd3e3016028a30e7a59
- SHA1
  
  9fc0a3b95ade3bcd7ac18d3924637fbe681093cb
- SHA256
  
  74f5a5e7c73881ee9feb59e19d597a279c39769732a638cb415ea394f64e963b
- SHA512
  
  faaec36699fa7aaffc0f10723bb6b8e64bc089e10fb74e4f9bb5fcb00a65a9fbfa33aefb34ead343f97dea240688ba82ea54482c0d251ff4aa25a4467156cde7
- SSDEEP
  
  24576:NHW8c//////vbHsdqjj1tt4ctGi7HeqF:Ndc//////vbHsY5t2cLzey
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/CBuilder/Project1.cpp
- Size
  
  1KB
- MD5
  
  93b812faa14fc235204acc81cb6256c3
- SHA1
  
  c8a2907eb28940efaeb3e3aaf5816f85edc0c419
- SHA256
  
  8ef2ed5bdd6c0172b53ba70b31481e0209d51c0cb6d67871642371c5638ac672
- SHA512
  
  804983cc99118e8c609d1f0177ab77b835247640cc75b4d9f6a44094fb7eddce1ff8aa76d7da8e85e92bc6d7072e424b109ef11fd0dffacf40f16f06d39e8f87
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.plg
- Size
  
  1KB
- MD5
  
  97ea28334d67d71e4a96b56d76fe0d15
- SHA1
  
  caffb42a57d09d6b8246c583f0d76004fd003d86
- SHA256
  
  9965e660e07492e5c45bc7c52b981d1d65f6341a415979742418f5f699c1e771
- SHA512
  
  0f2c0e693dd4e83e3c0bd2b68f6015a878f77b87dd0c84da836416b74e4284e8787c19b5d361732ab0d45c2b9c924746d73dba1493d1722b93731db6229120a3
Score

3^/10

discovery
behavioral13 behavioral14
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/ExamplesSDK/Protection Macros/C/CBuilder/Project1.cpp
- Size
  
  1KB
- MD5
  
  93b812faa14fc235204acc81cb6256c3
- SHA1
  
  c8a2907eb28940efaeb3e3aaf5816f85edc0c419
- SHA256
  
  8ef2ed5bdd6c0172b53ba70b31481e0209d51c0cb6d67871642371c5638ac672
- SHA512
  
  804983cc99118e8c609d1f0177ab77b835247640cc75b4d9f6a44094fb7eddce1ff8aa76d7da8e85e92bc6d7072e424b109ef11fd0dffacf40f16f06d39e8f87
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/Include/C/Via ASM module/How to add ASM files in your Solution.pdf
- Size
  
  143KB
- MD5
  
  fa1cd447a7563f9f3ab781603be8fe74
- SHA1
  
  199386d987576725d1061e661da266065114cc1d
- SHA256
  
  57c54fc2e3551950a3721a97ffc5ff187be67e858fd078aec27ad313d3c5377a
- SHA512
  
  0be0725d7c72e86ae0a8b3d956e8e20a55df28b1b664e94e2a160446f308481804c3cfaa58b3406addc5e2db777a190548f458cb462f95ab8a7d852fc174a4f7
- SSDEEP
  
  3072:GxWQKotRiBw5z+i9IMmGrjXdIN//6XOy1QOO5XMK23c7cJ2pWESscNq5AorSA7eK:IWQBR95rZpI1/MOEQOO5XMK2YzSscirf
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/SecureEngineSDK32.dll
- Size
  
  28KB
- MD5
  
  4a05ec5f2b81d2a10762069474db29e4
- SHA1
  
  327cd6152c3b7612b6c27bbc85335047cf20ad86
- SHA256
  
  b8602138a1c138ea7fd9df8687e2a1f094959f7357688cbee7b44b060ea8179f
- SHA512
  
  209f44159d901bc89369ee6012b13fab4b0d1cbe91657c417fac4b3009e7033da23f8c21fe3b825c171e9de9424dea7b5c071e48afdbbed91a1e1a8744e0cd1a
- SSDEEP
  
  192:IMY8s5EvuxBd4uMf9mP3CTND0SqX5xS5caB7UcSAfM5IBizxUv:IMYTxBybPTND0fnjA05
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/ThemidaSDK/SecureEngineSDK64.dll
- Size
  
  28KB
- MD5
  
  92ff442bee98d2df4c2bbc2e8a3e019f
- SHA1
  
  95c7637bbfc6c1ba583068769589c7ffc5a0955b
- SHA256
  
  a989c8bcb5f111fa6a2e538c4c79c62be515f1713b2310cb9f60c58d6536166b
- SHA512
  
  9949f6e7eab3e2fd14f276ee0fac83ddfc2be40ca668c15f0c3e897bd3e7517fad04e8966d022c1efa8605cc14629d71943af1eff9aed1633206d64feede14dd
- SSDEEP
  
  192:I+Ai08s5GvuxBdKKCeotPpWZlNCryWlHqX5xS5haBWUcSAfMVIBizxUv:I+AdZxBnCeqPpWZglsfSgA0V
Score

1^/10
behavioral21 behavioral22
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/WinlicenseSDK.dll
- Size
  
  214KB
- MD5
  
  89cf33cbe62f8b7c15d0cb47d3ae4ffd
- SHA1
  
  81ca15044476606cf5ef13a1372c6f5e06ba2eb2
- SHA256
  
  9063dc5b7a3e57fc94b8b753e4aa869efcab683637776335f5723c4140a751e3
- SHA512
  
  b8e39e3d55482c707f54f491a11e7f9fbd9f5aca4439b9cdce164b595f0cccb176134d716bbc3f9e29acc856cf6351319769cf3dcc159eb0947912ddd451b8ce
- SSDEEP
  
  3072:+jwj/ejqrLuDGNBwROk5vIPqpoGpMQIs6QIVhiy6q:Qwzj9BE9vISik4Qe6q
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/build.dll
- Size
  
  26.5MB
- MD5
  
  1f98c492872020543e4c944bbc6c39d7
- SHA1
  
  9766f47c7f67fa04bb3439a877b705910e3e5ac5
- SHA256
  
  5e1b00d4486377d56afe7ff819dbec01d9aa2f2c27e9b9dc7ee48d22b58dc175
- SHA512
  
  e30b3d7bb95c14c57f00bbed6daa87d4c64167d980cd9f5e9e055ddfd98c0089521edb900acb67f05ec31ed6599fca8420c4697dbb3b6f58ac0750c783fa4253
- SSDEEP
  
  393216:uFFoqa6Fyb4NdjjzzYkFpWNkovt9QwPnoUuJLYtVFzvCtd8BIZrp/ta7zF0+y2Ch:u/9Nd3zckFAnVawPnMatVFzatdpR4Pbe
Score

9^/10

bootkit discovery evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral25 behavioral26
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/core.lib
- Size
  
  266KB
- MD5
  
  844833448fd88595cfd89585218461a9
- SHA1
  
  0f16d31888826e9c12a276c0c833746579b9a9bb
- SHA256
  
  b0c6309b5d91a2a00e95bcc4311cb8494cfcc73f7129efd2417de573ded46868
- SHA512
  
  ab559b700b7b1be6b6c946fed459053d106d239f3cb331c30ac1e0608a3fee9984ce4a53f78a19c58973a2da07e0e775dfa9f0ac37d4aaab7cb514279b6d482e
- SSDEEP
  
  6144:r+ooju07VTrsxaMDQp/ti27M6orAOGEAKpff:r+ooju0JTrsxxDQptdcrM8ff
Score

3^/10

discovery
behavioral27 behavioral28
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/demangler.dll
- Size
  
  75KB
- MD5
  
  cc74ea40bb1b4eb866f6ee84f6b41a79
- SHA1
  
  42023cfd5af17afa02538a5f99141dcda15268e0
- SHA256
  
  47d5b5bf9fb06be2fef9f60da10e4b538e4d034937cb98cea143ffbf923c7d02
- SHA512
  
  1acc9f478ded50884f2bc9c6b6b5949de3e249696a0b744fecf3322ff306d822469e2e287a629d094735a4123e470b8b1253649a1b9d2dbabac856fc71e2d4d5
- SSDEEP
  
  1536:9KoHXYTGjqwOMdjN6A7dzrJBEJszChI5SteqG8Go/fWYyN:9jXYpLMdjAAzB0huStz/fz
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Themida_x32_x64_v3.0.4.0_Repacked/libspv.dll
- Size
  
  868KB
- MD5
  
  6c8042af9e749f6406b7bd7dcf98d7eb
- SHA1
  
  b7395c27c72eb4b78d8459bb379c613d5f2bb365
- SHA256
  
  8338de9a14e5bea902708b00d25c16ec5549639167b96ae162dcdd22f65ec955
- SHA512
  
  098a8292a4e35fd21bd4f35c729581dd59e5640b46c2761790864a4f6195c78c7014f33201d2b63ab990cdcb66bc9bbc1b7d76fd46df745e8586e111b159c3ad
- SSDEEP
  
  24576:JsB1pU8fkfwILenP0EooIvVXLb40mc4D4RP6vX:Js57kfwVIRW4RP6vX
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32