General

  • Target

    TSMA.zip

  • Size

    333.2MB

  • Sample

    241103-j3524aslbk

  • MD5

    27b0cb5b1d976a4531e140c3d4607bc5

  • SHA1

    2d1a65b7b5377f540fbd9dcab1102ce5b0f7dda1

  • SHA256

    02075d6de1fda7331022cf61c38be386258b1f43a5777083ca615cd8fa4c315f

  • SHA512

    74ea09750397746710e9dc5560335cf1b4fd428415ef263314d7902c9901b1ad80574fba791b281a9a2dbe7f3c60e494c3557fb5aa86f7df98af480fed583e8e

  • SSDEEP

    6291456:hFGtbwP/+dlt+SiM4BVX5CSt3goBJU9ygQpu2/K2FE8dMwO/O7z:SwP/M8ljXwStZzQygQp3lWwd/

Malware Config

Targets

    • Target

      RPGVXAce_RTP/RTP100/Setup.exe

    • Size

      571KB

    • MD5

      f3a1050bac829eebf38a553db08c02e1

    • SHA1

      8a6a2a4e825b1b9de88791c03d7404e181fb0241

    • SHA256

      3b178f718655dab3c444857b5e6fd755dc611de72dc229de486b3e06d8548fd2

    • SHA512

      9e52b8e46192f72eb06971ee06bad397304db7714df4fd0b8397e2bd9d23c1aacdb10667ec1dfeb3b03b600875656f2a60e3b8582ccb6e86aefcae4a38a895f7

    • SSDEEP

      12288:Z3Mjhv8888888888888W88888888888H09+kjn3bVNyRvh6QoqJh5+B+98LApiag:dMjhQ09+miWQpJh5n98LAoa58h5j

    Score
    7/10
    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Target

      The_Moral_Sword_of_Asagi/Audio/SE/!$02_actor002_kiss02.ogg

    • Size

      279KB

    • MD5

      f50ceab119eaac8888958cf686952998

    • SHA1

      2bc296af251e7d26ae409a4032bf076faecd5ee9

    • SHA256

      6db8eb45388933d2d2047726cf36a56d82a720ae5bea887800601f7ff5ceda60

    • SHA512

      2a039f546e2cccc7a5462cc84ec4a84feb2ef33c9729178885039179362aab840ab2a6ac79e6cf7338e58719f4a16ca5db11c240d36242ec90a72785c20232b0

    • SSDEEP

      6144:OHz8sQv7aWnvPSrpyeemuCFvwVhGL66AcHKhoYlS8yZqktYGAFr:OH2a2ir8m5yVhGL66Acq2SUqkWZ9

    Score
    3/10
    • Target

      The_Moral_Sword_of_Asagi/Game.exe

    • Size

      137KB

    • MD5

      bd9ebb7d09f9111a9f0a0ba2238eaf80

    • SHA1

      28c753124d845f61373be87d392ab839914ebdc5

    • SHA256

      e5435c0e86a8181a3d88206d5dd47145f2aa768afcae6d8c2ae449f8601a8724

    • SHA512

      f2dcdc9a1e64af74eeded730112d87d97ca2e5d894f25324b27c5f1b0680c948e3bcc73136615a4822ac6a75ac43c3b21fb8dcd031ae4203c2798bc6f9773231

    • SSDEEP

      3072:fWK+I+/wslzo5lwTU6gixJpLOaHIYsrIjPW4:fWK+xZSixJEaoYsM+4

    Score
    3/10
    • Target

      The_Moral_Sword_of_Asagi/System/RGSS301.dll

    • Size

      1.0MB

    • MD5

      dd25855ac39d32da033902fc58fa210b

    • SHA1

      0ffa23a4d0b81438a329258f5c8d3b3403f4aa94

    • SHA256

      27647690ed16218cd988dd71069fdca67207515b2a2df775be361f0198ab6876

    • SHA512

      07f7f7cb4eda2165b4b28456fb01d4edea6e3d5f305dde19256865777905a0d0bb1d13ce1194a8639d740f633ccf1507a1b87530644d5e2d512a86829195ae60

    • SSDEEP

      24576:+pc8WbPqpzFwdPhet279ae3P7zqP2JzCNkX67Flr1nH0F3ia:+pc8W7qEdPhet2hae3HfJR2Uf

    Score
    3/10
    • Target

      The_Moral_Sword_of_Asagi/WFExit.dll

    • Size

      42KB

    • MD5

      bb0d332a65b2a3eefb6a8734ee37a699

    • SHA1

      98fff9d24e4db5da63bb33d490eb4908292895cc

    • SHA256

      99234d8f4ac85c698fc1c57c2308a8b5d41e6c2b9ee3f9c029df083861c5450e

    • SHA512

      233de12240a5dfc97385b21cc129987ca5064dab2040f2ae393cf9da3876691f4a69994219c301d2cb7e803f1dfec8e7d624d1d0068297fb5725727cee5f8bd9

    • SSDEEP

      768:Nlb+JkEIkp2NBwVUGvvFLVSb01ugHoMRrlifh:Ha1qBAvvqittRr4fh

    Score
    3/10
    • Target

      The_Moral_Sword_of_Asagi/wfAudio.dll

    • Size

      1.3MB

    • MD5

      e8ef96133fe3f49c5d13c94cb057ceee

    • SHA1

      20afa582538ba1c3ec67947e5e34f31ec2ae83fa

    • SHA256

      9df651fbd67e43aa6b894f35d5b30b260fefce730ec273c4f30694ca4ce9a4e1

    • SHA512

      e60fb592e7330bf50265bd0180dcb3a0a0ee2016d0821604ffc70c4b7051c4cf218b859f46c045221cadeed37e7b33a7f2e9d308b2dd740958f7ab51c38fa5e6

    • SSDEEP

      24576:H75/Pr3be36e1/GmidV2zggzoUCXFyMG+Nk9ZHUVguEVo:HRXo+rdV2zzzoUCbVkLiWo

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks