industroyer

General

Target

https://cdn.discordapp.com/attachments/1292940347978285208/1310443916696354931/build-3.0.8.rar?ex=6749dac0&is=67488940&hm=0b2f69fd1c8b9466326d1c29a87b781211f3fe27d38c49ac3d00f84abb02321c&
Sample

241128-s8mx5sxpcj

Score

10^/10

Malware Config

Targets

- Target
  
  https://cdn.discordapp.com/attachments/1292940347978285208/1310443916696354931/build-3.0.8.rar?ex=6749dac0&is=67488940&hm=0b2f69fd1c8b9466326d1c29a87b781211f3fe27d38c49ac3d00f84abb02321c&
Score

10^/10

industroyer agilenet discovery evasion persistence phishing themida trojan
- Industroyer
  Contains code associated with parsing industroyer's configuration file.
- Industroyer family
  industroyer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Sets service image path in registry
  persistence
- A potential corporate email address has been identified in the URL: currency-file@1
  phishing
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
  persistence
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1