Overview

overview

9

Static

static

7

6c7ec50485...d2.exe

windows7-x64

9

6c7ec50485...d2.exe

windows10-2004-x64

9

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PROGRAMFI...it.dll

windows7-x64

3

$PROGRAMFI...it.dll

windows10-2004-x64

3

$PROGRAMFI...ge.dll

windows7-x64

3

$PROGRAMFI...ge.dll

windows10-2004-x64

3

$PROGRAMFI...er.dll

windows7-x64

3

$PROGRAMFI...er.dll

windows10-2004-x64

3

remedy.exe

windows7-x64

9

remedy.exe

windows10-2004-x64

9

simityvp.exe

windows7-x64

9

simityvp.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c7ec50485943ef850a67df20d7903522566f00e16506c1c03a772b9dc6bebd2.exe

  • Size

    6.2MB

  • Sample

    241123-v6m68syney

  • MD5

    630a229aab8ec12bf60aead2a2b61a5a

  • SHA1

    dad6d0abec7d425530020dc871d67eceb9f771bb

  • SHA256

    6c7ec50485943ef850a67df20d7903522566f00e16506c1c03a772b9dc6bebd2

  • SHA512

    d4ede1cf3ed345f54c44c94eb8ce1d57a345b315bbde78eb6009e931af040f58219ca242721d6944ac01582035be7f3873760ffa75e15bec8cc9d35a89070ec8

  • SSDEEP

    196608:FG2uiMQB3oZJNJp39JNa1XfeFPIlIOYszyKXj0rO:FGBQBY7NJp81XYIXYvKXiO

Score
9/10
discoveryevasionthemidatrojan

Malware Config

Targets

    • Target

      6c7ec50485943ef850a67df20d7903522566f00e16506c1c03a772b9dc6bebd2.exe

    • Size

      6.2MB

    • MD5

      630a229aab8ec12bf60aead2a2b61a5a

    • SHA1

      dad6d0abec7d425530020dc871d67eceb9f771bb

    • SHA256

      6c7ec50485943ef850a67df20d7903522566f00e16506c1c03a772b9dc6bebd2

    • SHA512

      d4ede1cf3ed345f54c44c94eb8ce1d57a345b315bbde78eb6009e931af040f58219ca242721d6944ac01582035be7f3873760ffa75e15bec8cc9d35a89070ec8

    • SSDEEP

      196608:FG2uiMQB3oZJNJp39JNa1XfeFPIlIOYszyKXj0rO:FGBQBY7NJp81XYIXYvKXiO

    Score
    9/10
    discoveryevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      bf712f32249029466fa86756f5546950

    • SHA1

      75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    • SHA256

      7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    • SHA512

      13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    • SSDEEP

      192:0N2gQuUwXzioj4KALV2upWzVd7q1QDXEbBZ8KxHdGzyS/Kx:rJoiO8V2upW7vQjS/

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/UAC.dll

    • Size

      14KB

    • MD5

      adb29e6b186daa765dc750128649b63d

    • SHA1

      160cbdc4cb0ac2c142d361df138c537aa7e708c9

    • SHA256

      2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    • SHA512

      b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    • SSDEEP

      192:DiF6v2imI36Op/tGZGfWxdyWHD0I53vLl7WVl8e04IpDlPjs:DGVY6ClGoWxXH75T1WVl83lLs

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/UserInfo.dll

    • Size

      4KB

    • MD5

      c7ce0e47c83525983fd2c4c9566b4aad

    • SHA1

      38b7ad7bb32ffae35540fce373b8a671878dc54e

    • SHA256

      6293408a5fa6d0f55f0a4d01528eb5b807ee9447a75a28b5986267475ebcd3ae

    • SHA512

      ee9f23ea5210f418d4c559628bbfb3a0f892440bcd5dc4c1901cb8e510078e4481ea8353b262795076a19055e70b88e08fee5fb7e8f35a6f49022096408df20e

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      4ccc4a742d4423f2f0ed744fd9c81f63

    • SHA1

      704f00a1acc327fd879cf75fc90d0b8f927c36bc

    • SHA256

      416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

    • SHA512

      790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

    • SSDEEP

      192:SbEunjqjIcESwFlioU3M0LLF/t8t9pKSfOi:SbESjFCw6oWPFl8jfOi

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $PROGRAMFILES/foler/olader/acledit.dll

    • Size

      8KB

    • MD5

      8d96cb171b4138f43a754317be9e982c

    • SHA1

      3c2975e7904486f39be0455a63afaa063064a93e

    • SHA256

      727b96dca0363f7cd5767f94bf72e0655ef1d00f44b27d496deb733eb32be12b

    • SHA512

      ab58bd28169042d9502f64410e78aa41d219753d998ad5309699c57b50ce343b50aeb42dda8ef6a52f8057dcd1bc2b4b6e0de52819285dd3517ba3fa032e6ee3

    • SSDEEP

      192:peH8gcV+GQqYTBBBAkvyMQ0F3OWYTWPGP:YH8gcV+GQqyAMD0WYTWPq

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      $PROGRAMFILES/foler/olader/acppage.dll

    • Size

      45KB

    • MD5

      290075961dd4856211078377d14942c8

    • SHA1

      ad7f6dfd89a253daa70d5bbb46e819dae7eb3f61

    • SHA256

      949fd56c5a63d3f1c20769bc2285ac5517c4ca84250c807f18247a2d93efc1a4

    • SHA512

      b431198324315e172fafb062fce93c5d5b18e691150e5e26dec30f150622c38ce4342b9e9f5d4d847860a55e7fb75411bb8765a0f0ae87c99e0dc30f1bc42854

    • SSDEEP

      768:ppb1tuabwj1WVIlaFKuIJJPclXkxAc5J9UaXotuM5Uqw2mom:Uj1WelaFczPclwYtuM6qw2

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      $PROGRAMFILES/foler/olader/adprovider.dll

    • Size

      48KB

    • MD5

      f981199c82a40cf638d313c4498ecab9

    • SHA1

      9f2ba1092a90b048aaf51304d139018e13144f3b

    • SHA256

      338287ddb5fdbf0f7540dac8ae8a3f02643f7b45f3b401a9dfa6447e39043049

    • SHA512

      09b33588e58c50036614e0fa26ccd8d94ae810f63d95c8464ae74cb9169f4ddcbcd8c019d656cd313ed65f8bb92b9782cf319866ce2a9ba1c003bd62a1bed171

    • SSDEEP

      768:Amge8Q4UsMhIrA1pifdlIGHmizKO6EjjKRyGlqesRtgjEDy:AG548IrA1pifdRHmizKiWRPlqPjy

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      remedy.exe

    • Size

      3.5MB

    • MD5

      163219e1c4f789b48114bc15e4fc598e

    • SHA1

      e9cb9216bb0c52c8c77314c7a68381f46865dacc

    • SHA256

      0bab70088222eb4e9ca0a4b40e6a5476575396af88be6796e856b2d640c32724

    • SHA512

      176a80700127f07790586863827bda4da21439647c57ab8857d124b142f0eb9682ee57c1ea7d83c2372389fb5f35e068eb77385c0e9eac574c8363b6d2e3d8e6

    • SSDEEP

      98304:8afLxoNrXcY9vY5xVUAMcj8drwf7BYnO2wGG8:VzxodXcY9vYrVUpcwdrwVBGX

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral17behavioral18

    • Target

      simityvp.exe

    • Size

      2.6MB

    • MD5

      9f466fa2a0a30ac516f46d4880b22619

    • SHA1

      04d75114ba14a3ef8425329772ddfa969e52570b

    • SHA256

      a26355756d9f2c768ee490a0c8e639b26b3a48a3aa4a1d3ff0aa0bad97b385f4

    • SHA512

      8092180a53226776c974a87964198cab23b17d34e6f68cc6ff9aa2ee2e75031766ab110e1d9c35c63c32121b7cec9ce17bee1e979f19bbecea980bd09955d58b

    • SSDEEP

      49152:u/VlbXp32n+MB8kHd8rKlyOyz7GS+hmpgo9pVzRJHOQe5c6wcBP7KyjRmCHrykb:u/TbZ3mG8dBlW7aUbjNJHredJBzKyjEe

    Score
    9/10
    discoveryevasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

themida
Score
7/10

behavioral1

discoveryevasionthemidatrojan
Score
9/10

behavioral2

discoveryevasionthemidatrojan
Score
9/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

evasionthemidatrojan
Score
9/10

behavioral18

evasionthemidatrojan
Score
9/10

behavioral19

discoveryevasionthemidatrojan
Score
9/10

behavioral20

discoveryevasionthemidatrojan
Score
9/10