3ecc7cb0d0c4d0509df3506fe19199daf409011d24c2163eb035919cfd3f1b85 | Triage

Sharing

General

Target

unl.rar
Size

4.4MB
Sample

240814-bmewzaycll
MD5

6ba19488c35123fc1e3973361bb1dd42
SHA1

7916a608fd178d83b94718b78a4d841157f5f831
SHA256

3ecc7cb0d0c4d0509df3506fe19199daf409011d24c2163eb035919cfd3f1b85
SHA512

14928e3b249f66a8b49c4afb11715b1e0921f0e7aba6449865a00ecb9e0a8cddf7bc6b6b56a0d984ec4018096e75a0b2d4a0f016de0201fdde6cb48829ecd143
SSDEEP

98304:E6amRFwnveHxouhYhVk9cF7i+xW12fVyxUt21KZ0CmOv8dfEtYItW5zhmEI:E6JBHxodhVMcF7ikWOm+Z0C30ds5eVmt

Score

9^/10

discovery evasion themida trojan

Malware Config

Targets

- Target
  
  unl.rar
- Size
  
  4.4MB
- MD5
  
  6ba19488c35123fc1e3973361bb1dd42
- SHA1
  
  7916a608fd178d83b94718b78a4d841157f5f831
- SHA256
  
  3ecc7cb0d0c4d0509df3506fe19199daf409011d24c2163eb035919cfd3f1b85
- SHA512
  
  14928e3b249f66a8b49c4afb11715b1e0921f0e7aba6449865a00ecb9e0a8cddf7bc6b6b56a0d984ec4018096e75a0b2d4a0f016de0201fdde6cb48829ecd143
- SSDEEP
  
  98304:E6amRFwnveHxouhYhVk9cF7i+xW12fVyxUt21KZ0CmOv8dfEtYItW5zhmEI:E6JBHxodhVMcF7ikWOm+Z0C30ds5eVmt
Score

3^/10
behavioral1 behavioral2
- Target
  
  unl/Spotify.cfg
- Size
  
  51B
- MD5
  
  a31638f636f3cff044f77338c8a850ab
- SHA1
  
  ca46698adb72410d35bb56989a369880e503756f
- SHA256
  
  357a0410620a468d333a5235ec424a3bbc8b330ba16968f381e1c8ffa89dff39
- SHA512
  
  aafd96f0fda67c76d1cef2ed8ade0717baec758a99e6e110c62c79ae215a5dd1e90c7624adaecd9a68153c94b7ef69e7cc09e1a879ad4568d08b0170e6b66f85
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  unl/blobs/a.ini
- Size
  
  140B
- MD5
  
  f2c2615412f9de59726c794f8c0de4cd
- SHA1
  
  4b598a54a07f74e13f0e5c4cbe9a776f67a6e530
- SHA256
  
  7a7cf6e122964410f27a012803588001c1febb79b2f435f7f545a77f32928843
- SHA512
  
  a6d12943b9574e218ec3ef6a016b1bf396d05601cf12accf11636eb6e9458ae3601a0fcb1ddac641f009f2bd918bb6533589aa82cf13496335de002aee8341bc
Score

1^/10
behavioral5 behavioral6
- Target
  
  unl/blobs/b.ini
- Size
  
  16B
- MD5
  
  579d4b01df80191d7457f1449cdf516c
- SHA1
  
  ed66582816647cbfa1bef768e8eadf4240feba64
- SHA256
  
  b7f5af4f2b447ea8a36df2db3db7ecb3790385446e1b7f1958c02770ab907077
- SHA512
  
  f10b6f9019ea5048a9507c0983fc99a2e038a04e27f4d87463ed5770f8932a6587dca3636613e9b474be919f2a83d621e88abaadc7ad302b4b76c764ad1fe585
Score

1^/10
behavioral7 behavioral8
- Target
  
  unl/unl_cracked.exe
- Size
  
  4.6MB
- MD5
  
  6bd14ba77cb025fc393ab45feb780d20
- SHA1
  
  a6b483d04c243e473ddef816739549449b561fd9
- SHA256
  
  6ffce8c5338024d310dc6ffc9691fa1c7d337be4d6fcde62733c90ad6a47e35e
- SHA512
  
  f16600a68fe7254f8bd7dd3882b7def64aad293861110e381545ea01691cd0c4ae035facf270f37895deafd5cd23d951ffc807976022d1fff341c720f907d1f9
- SSDEEP
  
  98304:pzwC9MBykeG9JSkq4Qj7RqwDaQ3Y7el+KzMjHFSFxgm04mtVP5gMRA5J:pzwgfkP9JdZQjNDagY7e7Mj+xMHXvs
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

discoveryevasionthemidatrojan

behavioral10

discoveryevasionthemidatrojan