Overview

overview

9

Static

static

3

LoaderDownloader.exe

windows7-x64

8

LoaderDownloader.exe

windows10-2004-x64

9

RivaTuner.zip

windows7-x64

1

RivaTuner.zip

windows10-2004-x64

1

VenomLoader.pdb

windows7-x64

3

VenomLoader.pdb

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    NewLoader.zip

  • Size

    105.3MB

  • Sample

    240811-2xfjcsxdqf

  • MD5

    cb3d9f5ad95dbcb0507af2b08730ad9f

  • SHA1

    9512bbb12fc919f1338069df5677829d09b646e0

  • SHA256

    9f60a00eedeee1b382a1ee47209c8c056a4ebbfbf45726aaa1f0909371b3ca9e

  • SHA512

    3e547ab95a505013c63af5bf713493cced0dd63e6e66ec346df00e4181457137f9b3fb420db5bec246907e1ed07bf0e54d22615c8e4d4cebc938b90c9b820d75

  • SSDEEP

    3145728:2LgO9FPp8U4Um3oV79RkBMxRUqv6Z/gGotPJhIy:Kg+lp8Um4Ve+ViVePF

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Targets

    • Target

      LoaderDownloader.exe

    • Size

      592KB

    • MD5

      f25f8c6de26e307e7c49936c880b0ac7

    • SHA1

      7e154481d7a98aa7c6d4c9fd0ed2e9399623704a

    • SHA256

      c8f2d4f58c3a7cf294d8e2a57a1e14047db191c126b6806c347f2ab9a3ea4dd0

    • SHA512

      43ef0f1c9563acd5627e6839efb6387b771d35dbd235e7cb87f76ed06f3b8e76f6033b213fb9cae88272930697834d746a3d06d7be24a04da6a5828a5168b3b2

    • SSDEEP

      12288:XTPHl0zka+1bz11XXCL+OzL5ybnG22xATL4jQB:jPHl0zka+1n11XXo+OzL5ybnG22uz

    Score
    9/10
    themidadiscoveryevasiontrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      RivaTuner.zip

    • Size

      22.6MB

    • MD5

      08b28f05d55e03402a21f91380a51977

    • SHA1

      574556624b246d31ede2ca559107a9d0e5ade927

    • SHA256

      3665be0835815d6c02d39dcdec81168120ef081e7de1468fa2b2ec8fc7cec7ed

    • SHA512

      96c6a4021011cec350156f70ab2239a05957948afc00af583fd6539278df1bc94613cb44e9bde1c0f749f75ba3c39be2afa7cfdf09c44e957b552c102a821e58

    • SSDEEP

      393216:EMHmwJjySayTuOhbZdQ9L4hIlvVbRQApfolim4sTBEJP2YJ2WqcQWfKSZy2sT1YS:dtJGSayTfhFdQZRl1VAliV2YJ+cQWfBo

    Score
    1/10
    behavioral3behavioral4

    • Target

      VenomLoader.pdb

    • Size

      7.0MB

    • MD5

      29ac5338eede0d2189746832d0c999af

    • SHA1

      29a8a044672fe5b04dbc08b3728ab0e005234c3e

    • SHA256

      15fdca80a9fa304e5b93d038acc87fcd08fac4af6c5e9cbfcd167c4db9d25146

    • SHA512

      020fdc082324f916b975413d23c75dd296a43b6721aaad2ed505a3b684d09f3bbdb0dcbcedaff9990d8475f5527768a1c8fb9fd96874e266cc09e45e3da8cf34

    • SSDEEP

      49152:XOR9/IBdBFoGNTMed56aJsK9haTdk5hQreZ9rdGcK2C:5FJMedTsK9haacrmrdGctC

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks