b69d8840ba9740ad103758934ca3b45151244717ebb4b7d6b5a1acbcd0498f7f

General

Target

downloader (7).exe
Size

70.1MB
MD5

499602a4917bfdd7f90024b290b369b0
SHA1

f1621e8583bf40063e409a293f0c8cff37903033
SHA256

b69d8840ba9740ad103758934ca3b45151244717ebb4b7d6b5a1acbcd0498f7f
SHA512

a224437fb3205ce9da024c7b30415f39574658a43cdcbb4f1ccc077590d13a42d35243f002d91f653c0c4b7ea2072df2aae9878f4d36cbe1c88c9b38a2fd58ca
SSDEEP

393216:lWxQN89qQk4adiJCuE2fUCdod+OvqKkZHzXhJ/KTe8uiBUtkc0k3qjsGg4GUo3Nb:lWoI7zGF5ahWc3Iml

Score

9^/10

agilenet evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	XClient.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XClient.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\microsoft.lnk	XClient.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	XClient.exe

Loads dropped DLL 1 IoCs

pid	Process
2828	XClient.exe

Obfuscated with Agile.Net obfuscator 2 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/files/0x000c000000018718-6.dat	agile_net
behavioral1/memory/2828-9-0x0000000000F50000-0x0000000001658000-memory.dmp	agile_net

Themida packer 16 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0007000000018bc7-13.dat	themida
behavioral1/memory/2828-16-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-18-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-33-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-34-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-35-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-37-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-39-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-43-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-45-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-46-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-47-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-49-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-50-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-51-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida
behavioral1/memory/2828-52-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XClient.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2828	XClient.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2828	XClient.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2828	XClient.exe
2828	XClient.exe
2828	XClient.exe
2828	XClient.exe
2828	XClient.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1196	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	XClient.exe
Token: SeDebugPrivilege	2828	XClient.exe
Token: SeDebugPrivilege	1196	taskmgr.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe

Suspicious use of SendNotifyMessage 37 IoCs

pid	Process
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe
1196	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	XClient.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2840	2880	downloader (7).exe	31
PID 2880 wrote to memory of 2840	2880	downloader (7).exe	31
PID 2880 wrote to memory of 2840	2880	downloader (7).exe	31
PID 2880 wrote to memory of 2940	2880	downloader (7).exe	32
PID 2880 wrote to memory of 2940	2880	downloader (7).exe	32
PID 2880 wrote to memory of 2940	2880	downloader (7).exe	32
PID 2940 wrote to memory of 2828	2940	cmd.exe	33
PID 2940 wrote to memory of 2828	2940	cmd.exe	33
PID 2940 wrote to memory of 2828	2940	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\downloader (7).exe
"C:\Users\Admin\AppData\Local\Temp\downloader (7).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\Xbox.exe""
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start "" "C:\Users\Admin\AppData\Local\Temp\XClient.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2828

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
7.0MB

MD5
4fdd953a53303a4dd38242fee3b3c53a

SHA1
8d962de4d2f783a35b2666755e97928e446ceb1e

SHA256
5243fc913cc5de56bb4a58e73f9ee9715a8779146737fc7c865d4d5390ae750f

SHA512
5329acc05f07c5e82222877183e1e197cd6506a1cea24017930bf9f03159ea86f6853fc057378a646e8da79713e06f0f147c4b76135f058a9f21f737d8359737

Download Submit
\Users\Admin\AppData\Local\Temp\2ee4191c-6d2b-4025-92a2-d6b9b7e459b2\AgileDotNetRT64.dll

Filesize
4.2MB

MD5
05b012457488a95a05d0541e0470d392

SHA1
74f541d6a8365508c794ef7b4ac7c297457f9ce3

SHA256
1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

SHA512
6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

Download Submit
memory/1196-44-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1196-41-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1196-40-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2828-39-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-9-0x0000000000F50000-0x0000000001658000-memory.dmp

Filesize
7.0MB

Download
memory/2828-34-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-35-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-37-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-28-0x000007FEF44D0000-0x000007FEF45FC000-memory.dmp

Filesize
1.2MB

Download
memory/2828-18-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-16-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-43-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-33-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-45-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-46-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-47-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-49-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-50-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-51-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download
memory/2828-52-0x000007FEED9B0000-0x000007FEEE534000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads