Overview

overview

9

Static

static

7

1a4b5d8c8a...c7.exe

windows7-x64

9

1a4b5d8c8a...c7.exe

windows10-2004-x64

9

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PROGRAMFI...it.dll

windows7-x64

3

$PROGRAMFI...it.dll

windows10-2004-x64

3

$PROGRAMFI...ge.dll

windows7-x64

3

$PROGRAMFI...ge.dll

windows10-2004-x64

3

$PROGRAMFI...er.dll

windows7-x64

3

$PROGRAMFI...er.dll

windows10-2004-x64

3

remedy.exe

windows7-x64

9

remedy.exe

windows10-2004-x64

9

simityvp.exe

windows7-x64

9

simityvp.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1a4b5d8c8adf2cac325be642c101f223102145b818546d497d71390104b180c7.exe

  • Size

    6.0MB

  • Sample

    241123-rsyt2asqal

  • MD5

    80b6e24eb1ec2ce3494629b82ff3f9ad

  • SHA1

    b050837f1f55f0d53af835f12c49aba1e6684206

  • SHA256

    1a4b5d8c8adf2cac325be642c101f223102145b818546d497d71390104b180c7

  • SHA512

    c19df4174a91c04ba49c3f3da095e15184c29e9f6eaddfe965de1a6969c2a74fdb62b2f3b50e8d9a1a0195c8eee2b7969a5de1ad066af36ec3e1145dad5443ff

  • SSDEEP

    196608:2UNH4DqDRM1YJhAPCQQDI+GdfkoWJDN5APPRv3gwP:2UyDqDRk+IsDNGQpN5AVPP

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Targets

    • Target

      1a4b5d8c8adf2cac325be642c101f223102145b818546d497d71390104b180c7.exe

    • Size

      6.0MB

    • MD5

      80b6e24eb1ec2ce3494629b82ff3f9ad

    • SHA1

      b050837f1f55f0d53af835f12c49aba1e6684206

    • SHA256

      1a4b5d8c8adf2cac325be642c101f223102145b818546d497d71390104b180c7

    • SHA512

      c19df4174a91c04ba49c3f3da095e15184c29e9f6eaddfe965de1a6969c2a74fdb62b2f3b50e8d9a1a0195c8eee2b7969a5de1ad066af36ec3e1145dad5443ff

    • SSDEEP

      196608:2UNH4DqDRM1YJhAPCQQDI+GdfkoWJDN5APPRv3gwP:2UyDqDRk+IsDNGQpN5AVPP

    Score
    9/10
    discoveryevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bf712f32249029466fa86756f5546950

    • SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    • SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    • SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    • SSDEEP

      192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/UAC.dll

    • Size

      14KB

    • MD5

      adb29e6b186daa765dc750128649b63d

    • SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

    • SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    • SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    • SSDEEP

      192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      c7ce0e47c83525983fd2c4c9566b4aad

    • SHA1

      38b7ad7bb32ffae35540fce373b8a671878dc54e

    • SHA256

      6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

    • SHA512

      ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      4ccc4a742d4423f2f0ed744fd9c81f63

    • SHA1

      704f00a1acc327fd879cf75fc90d0b8f927c36bc

    • SHA256

      416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

    • SHA512

      790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

    • SSDEEP

      192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $PROGRAMFILES/foler/olader/acledit.dll

    • Size

      8KB

    • MD5

      8d96cb171b4138f43a754317be9e982c

    • SHA1

      3c2975e7904486f39be0455a63afaa063064a93e

    • SHA256

      727b96dca0363f7cd5767f94bf72e0655ef1d00f44b27d496deb733eb32be12b

    • SHA512

      ab58bd28169042d9502f64410e78aa41d219753d998ad5309699c57b50ce343b50aeb42dda8ef6a52f8057dcd1bc2b4b6e0de52819285dd3517ba3fa032e6ee3

    • SSDEEP

      192:peH8gcV+GQqYTBBBAkvyMQ0F3OWYTWPGP:YH8gcV+GQqyAMD0WYTWPq

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      $PROGRAMFILES/foler/olader/acppage.dll

    • Size

      45KB

    • MD5

      290075961dd4856211078377d14942c8

    • SHA1

      ad7f6dfd89a253daa70d5bbb46e819dae7eb3f61

    • SHA256

      949fd56c5a63d3f1c20769bc2285ac5517c4ca84250c807f18247a2d93efc1a4

    • SHA512

      b431198324315e172fafb062fce93c5d5b18e691150e5e26dec30f150622c38ce4342b9e9f5d4d847860a55e7fb75411bb8765a0f0ae87c99e0dc30f1bc42854

    • SSDEEP

      768:ppb1tuabwj1WVIlaFKuIJJPclXkxAc5J9UaXotuM5Uqw2mom:Uj1WelaFczPclwYtuM6qw2

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      $PROGRAMFILES/foler/olader/adprovider.dll

    • Size

      48KB

    • MD5

      f981199c82a40cf638d313c4498ecab9

    • SHA1

      9f2ba1092a90b048aaf51304d139018e13144f3b

    • SHA256

      338287ddb5fdbf0f7540dac8ae8a3f02643f7b45f3b401a9dfa6447e39043049

    • SHA512

      09b33588e58c50036614e0fa26ccd8d94ae810f63d95c8464ae74cb9169f4ddcbcd8c019d656cd313ed65f8bb92b9782cf319866ce2a9ba1c003bd62a1bed171

    • SSDEEP

      768:Amge8Q4UsMhIrA1pifdlIGHmizKO6EjjKRyGlqesRtgjEDy:AG548IrA1pifdRHmizKiWRPlqPjy

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      remedy.exe

    • Size

      3.3MB

    • MD5

      a549bfe1170323076f438b7199bd39da

    • SHA1

      fb893bcde83c6a8544276f464f03ec762cd3ca0a

    • SHA256

      10a7145031d494fa4b85a71bf01ada3362ce77cd94dc8f6bd7c0afcf7797aac8

    • SHA512

      469a623678fe783cac684b61431b8694f88cb23cf048df3e2d3e0f7955f92f79dcc58de03788d7a34c6ec7e9511c0902f72e8484ccf2834bb4275d362d81ceda

    • SSDEEP

      98304:nUxwcPkH5x8SBBAnsj0b5MDcTSsvU44fKVr:UxCx+nsj0b5MwesM4MKV

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      simityvp.exe

    • Size

      2.6MB

    • MD5

      7acd70f3dfdcd33dbe40603e939fcb79

    • SHA1

      d7f63d7b0a37b3d78d13e8ea783e0aba6507aa20

    • SHA256

      069539fb82534ac72239b2f35f4711cd4ac828d26ab29e159c1082f725b9999d

    • SHA512

      4ef930ac69b82f078084212d6e57ea0522568452aca5e35de3a0b85a99a9dae6209fcd394582ea64ac8d45e9708dffefada5d267254332bfa62da780d968cefc

    • SSDEEP

      49152:opjm0WOyUeKHY274eWPaAZOdZ8o5DnWCHZc2w94K0TAA5N:4jm0W24H/YdZ8AE2wOKODN

    Score
    9/10
    discoveryevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

themida
Score
7/10

behavioral1

discoveryevasionthemidatrojan
Score
9/10

behavioral2

discoveryevasionthemidatrojan
Score
9/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

evasionthemidatrojan
Score
9/10

behavioral18

evasionthemidatrojan
Score
9/10

behavioral19

discoveryevasionthemidatrojan
Score
9/10

behavioral20

discoveryevasionthemidatrojan
Score
9/10