49d00fdd4f022da0c2c88062d805c9b810520cf94cd50b575956b94c7e0587cd | Triage

Submit
Reports

Overview

overview

9

Static

static

7

49d00fdd4f...cd.exe

windows7-x64

9

49d00fdd4f...cd.exe

windows10-2004-x64

9

Sharing

Copy URL Twitter E-mail

General

Target

49d00fdd4f022da0c2c88062d805c9b810520cf94cd50b575956b94c7e0587cd
Size

5.8MB
Sample

240911-p7naqs1fqn
MD5

9c303558c5726754082bc64ed80f05c8
SHA1

26a29e9797efcbf5614c0ef4bbeddbbdb2cf1b78
SHA256

49d00fdd4f022da0c2c88062d805c9b810520cf94cd50b575956b94c7e0587cd
SHA512

dc11551654d53ac8010c0cb6dc37fd42116f791524aa076c1d260e66d2b8dad7ef932061de5d4c68045a230ec6a32356c5554ca5cb694495f97601da96d7e1ad
SSDEEP

98304:a6oG3V1aidUiGcCSi3h4i4Ulbgg+puwW4lKLKgPSBMHYMM54ZB8/+vlYfpnGnd7u:fpeidLDCBxf1l7+putPSBMHYMnB0+tYf

Score

9^/10

bootkit discovery evasion persistence themida trojan upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

49d00fdd4f022da0c2c88062d805c9b810520cf94cd50b575956b94c7e0587cd.exe

Resource

win7-20240903-en

bootkit discovery evasion persistence themida trojan upx

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

49d00fdd4f022da0c2c88062d805c9b810520cf94cd50b575956b94c7e0587cd.exe

Resource

win10v2004-20240802-en

bootkit discovery evasion persistence themida trojan upx

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  49d00fdd4f022da0c2c88062d805c9b810520cf94cd50b575956b94c7e0587cd
- Size
  
  5.8MB
- MD5
  
  9c303558c5726754082bc64ed80f05c8
- SHA1
  
  26a29e9797efcbf5614c0ef4bbeddbbdb2cf1b78
- SHA256
  
  49d00fdd4f022da0c2c88062d805c9b810520cf94cd50b575956b94c7e0587cd
- SHA512
  
  dc11551654d53ac8010c0cb6dc37fd42116f791524aa076c1d260e66d2b8dad7ef932061de5d4c68045a230ec6a32356c5554ca5cb694495f97601da96d7e1ad
- SSDEEP
  
  98304:a6oG3V1aidUiGcCSi3h4i4Ulbgg+puwW4lKLKgPSBMHYMM54ZB8/+vlYfpnGnd7u:fpeidLDCBxf1l7+putPSBMHYMnB0+tYf
Score

9^/10

bootkit discovery evasion persistence themida trojan upx
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

Bootkit

Privilege Escalation

Defense Evasion

Pre-OS Boot

Bootkit

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bootkitdiscoveryevasionpersistencethemidatrojanupx

behavioral2

bootkitdiscoveryevasionpersistencethemidatrojanupx

© 2018-2025

Terms | Privacy