General

  • Target

    Agile.Net Advanced Obfuscation v6.6.0.42 Full Activated - WwW.Dr-FarFar.CoM.zip

  • Size

    71.1MB

  • Sample

    240902-1192pszckb

  • MD5

    5694f6fd9db2f1968e253aa2689671ef

  • SHA1

    e6a1b4c0d5bb82703d865009393bbc80a38c63a1

  • SHA256

    cce32abb77ab93a740d42b466d41536a1fcd4cd2512a5bb957dbdd21f375b9cb

  • SHA512

    abf08d28f34c291e3d936717cfd4b4600c226d6cf59dc3090f868960a871ea15ca0b65ae6d96a39de048f6e829eeb1120c36485cde408c1df7ecda4fd66f9ed7

  • SSDEEP

    1572864:xal0p9XIkCH8WUH8jUETEh/e6ro49Pg/WLIj17gTp96uKJY+GoGFUkLW3vHEXjRQ:J4BH8WUcAEanLgh7eP6rJfGFj63i9Q

Malware Config

Targets

    • Target

      Setup/Agile.Net Advanced .NET Obfuscation Full Activated.exe

    • Size

      71.6MB

    • MD5

      103edbef2a58a81ef73099d10de34f29

    • SHA1

      5acbf181704e36b1ebf0a6bc0da73546d130bc22

    • SHA256

      4560668d19692509407250b780e3213a30aba76039106b57585821fdc3a1dcb7

    • SHA512

      1168e60f6b88e40abe917a937b12db594db59bccdbd49e2c75e999db7d2188a87b9af4fcbf707e0693dedcceb57d048456ed15207a65a73eb217a3b30af4a19f

    • SSDEEP

      1572864:Gfz/3r6mvYHShnZZ6Hvdyf1kCIPDIhqJz/Jxyf3HKWaBukAE4vQktk9Fvwhtpcsc:kxvYHSLZ6HFI1q1RxKXKJBF4vFO9+vK

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks