85c912a1a16544cb7b3c6f11048f764c969e76b2ae7ec94773521869cd871860

Sharing

Copy URL

Twitter E-mail

General

Target

Themida.v.3.1.8.0.zip
Size

61.8MB
Sample

241129-meqt2szpes
MD5

152b33e3367b67bad0ff164b266707dc
SHA1

fd84ecfdd806e46ab2731c4705de2d5df47ee606
SHA256

85c912a1a16544cb7b3c6f11048f764c969e76b2ae7ec94773521869cd871860
SHA512

690ae99237921dd17eb2c47ab464ebc67f386cf3760d90bb0629da88d9606b2f874d5f216050aae29e8d375ebc7b54fb96215cc284224fd6c5d3f26b565cd905
SSDEEP

1572864:1gvSh/CoMxkdrU1IhNNJMDVRtWRUbUBNZbfnJn3gVvV:1xh/NM2U10XiDVRtWRUbUtznJ4V

Score

9^/10

Malware Config

Targets

- Target
  
  Themida.v.3.1.8.0/Themida.exe
- Size
  
  30.1MB
- MD5
  
  ac042d817ab8b22903efe5168fdccd95
- SHA1
  
  a077b86df99fc2a88333c567a15885674aa65157
- SHA256
  
  eeee3378a756b15377c1443b32ad02ce743e4be1d802a21857b1b51ccefd8106
- SHA512
  
  152831fd4c40274723243a4df73321b2439add43b99c44f54949e3ccc83a202b2caa2fd5742eb5c5382de74df76f116c3ac352c4c04c648dbb7208558a1e8c54
- SSDEEP
  
  786432:xvamVvfX2eyQXWJChExZLEq9slLr4BnAMaW6fn/hO:x1OeyscCRn4e/hO
Score

9^/10

bootkit discovery evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  Themida.v.3.1.8.0/Themida64.exe
- Size
  
  30.5MB
- MD5
  
  e0f0db8d1fd2c9a277f8e968977fa684
- SHA1
  
  ae23b1e880bfade564e44759d01b965fda1f15d3
- SHA256
  
  0486a1c12b05214b01ecf642e4c9c0159a767e507a4472cf8fda68deefe02786
- SHA512
  
  347cd8dd2c4c5e9e84d111a8ecec77372e409aaa85c21f2c26ccca013467fad524d34c4ed6bc82386b5fa7eafe83531c0c81d63490b64e972cf68ce0001a1d9c
- SSDEEP
  
  786432:zXLec7gEqw1qmSgjfXF6GCPKJn1pSRmnT:zCcQs5SgDX8GCPA1sRET
Score

9^/10

bootkit discovery evasion persistence trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Checks whether UAC is enabled
  evasion trojan
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3 behavioral4
- Target
  
  Themida.v.3.1.8.0/ThemidaHelp.chm
- Size
  
  1.4MB
- MD5
  
  5b17a38c19fdeb9da763f9ce6212e483
- SHA1
  
  b5e930593a51ba93b8e87b8178c1113f75adf96d
- SHA256
  
  2e013c688cb06dc6d08c9e5420dcaca0a189e5d5f093090aad4fc6d12a9c0540
- SHA512
  
  d90f86845b6c429e8591cbfa8eb0c984972fc0262b20fbf19068abdd11a3921615b694dbbe6b15c447964442684dd719a6e4e677163c1aeda2d79f306ef31b63
- SSDEEP
  
  24576:BxtKslp35/TDYgRtaVGdgJiYEm+Z63NbztNgigjyjoeF2Hq08JSBcdZcs:BxtKwjfYOtawyiY8ZCbpxgsF2K5JSBIj
Score

1^/10
behavioral5 behavioral6
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Plugins/Examples/Delphi/TestPlugin.dll
- Size
  
  2.0MB
- MD5
  
  e08135766e6d14cf1ead4393eb33eeb4
- SHA1
  
  760f16fd201dc55fc68a8c030aaa7e98f6f5f519
- SHA256
  
  e67fa2a9c9fe7dbf8e29143d8bd1222422bfe08ef368e8e046bbee9a8dd731ee
- SHA512
  
  3bc9d6e8ee3690e1adcd667faa3e5eb35731b4c6d1abfde518959e704f50806493453133be7d1f6a419e87ac9df0aa09dac7dd6f65e23de37435c0a3a827952f
- SSDEEP
  
  24576:50Xy3Vsv/hQMcUGBZ4/NEZfqYfMWj1YT/hBUSMmPTfQAYe5ft07VBCgZkQlFE3:aC+/lKtMtbhCStP0A4UbQlF
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/CBuilder/Project1.cpp
- Size
  
  1KB
- MD5
  
  93b812faa14fc235204acc81cb6256c3
- SHA1
  
  c8a2907eb28940efaeb3e3aaf5816f85edc0c419
- SHA256
  
  8ef2ed5bdd6c0172b53ba70b31481e0209d51c0cb6d67871642371c5638ac672
- SHA512
  
  804983cc99118e8c609d1f0177ab77b835247640cc75b4d9f6a44094fb7eddce1ff8aa76d7da8e85e92bc6d7072e424b109ef11fd0dffacf40f16f06d39e8f87
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/C/Visual C++/vc_example.plg
- Size
  
  1KB
- MD5
  
  97ea28334d67d71e4a96b56d76fe0d15
- SHA1
  
  caffb42a57d09d6b8246c583f0d76004fd003d86
- SHA256
  
  9965e660e07492e5c45bc7c52b981d1d65f6341a415979742418f5f699c1e771
- SHA512
  
  0f2c0e693dd4e83e3c0bd2b68f6015a878f77b87dd0c84da836416b74e4284e8787c19b5d361732ab0d45c2b9c924746d73dba1493d1722b93731db6229120a3
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/NativeAOT/ConsoleWrapper/ExternalDependencies/NativeAotLib.dll
- Size
  
  15KB
- MD5
  
  3d189c2be81b3f0cb3262f19b87875ec
- SHA1
  
  01b6432d574d1ac35ae8974b7e5c9a69d47b4e94
- SHA256
  
  e7af13ad2eaa3a6de649c55bbc8fe3aa7b941491ac59341c1ce769af5464cc5a
- SHA512
  
  2faa4746905d1e671eb305ad5cab1389eca8bcf5ab6ecee4a3056558b6daa013e5e27faa6339f0cabca26ede434a0506af85fe638f7c798110e326c11629aaaf
- SSDEEP
  
  192:sYvSTOnEXuTBIGB6MxALlKxGd6wjo5NjLVLNgJFbnc:DaQV95AUGd6w+NYU
Score

1^/10
behavioral13 behavioral14
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/NativeAOT/ConsoleWrapper/ExternalDependencies/SecureEngineSDK64.dll
- Size
  
  28KB
- MD5
  
  6d8722b257230e3f691197715ec2b4b1
- SHA1
  
  bf141f3aff5b5e1cd2f02a5d81125931ba4a842d
- SHA256
  
  175a75ca524b269b25fb5144dc0abb4ac9b1673852df3abfbd4f6c449e01827d
- SHA512
  
  b6d077c57780ab6d58649cee36a1016573adfcafcfa8c823297a19f8bb1d1ea0c1b613044076bcd805a0c18dc37a78208ebaa4d0e19c192b65415028355f1069
- SSDEEP
  
  192:3Mi08s5GvuxBdzbNEQaSpqX5xS5haVWUcSAfMVIBizxhv:cdZxBhaHfSsA0V
Score

1^/10
behavioral15 behavioral16
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/NativeAOT/ConsoleWrapper/Program.cs
- Size
  
  758B
- MD5
  
  046244903b44ea02a1196737870209b1
- SHA1
  
  19066c1da0133905e573937e36e16e890c92a117
- SHA256
  
  ef3f5327bae6194d0d9dcce76bcf057c56ceacda93d708fe597f8513586e2efd
- SHA512
  
  18e4084c1df308f5887a458a3741426b45c5e8266489636487a89a323d61273b4b3909a5ab85861ffaa6ecffee15977574c96a07c61a8a205a4b83c8a2bec487
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/NativeAOT/NativeAotLib/SecureEngineSDK64.dll
- Size
  
  28KB
- MD5
  
  6d8722b257230e3f691197715ec2b4b1
- SHA1
  
  bf141f3aff5b5e1cd2f02a5d81125931ba4a842d
- SHA256
  
  175a75ca524b269b25fb5144dc0abb4ac9b1673852df3abfbd4f6c449e01827d
- SHA512
  
  b6d077c57780ab6d58649cee36a1016573adfcafcfa8c823297a19f8bb1d1ea0c1b613044076bcd805a0c18dc37a78208ebaa4d0e19c192b65415028355f1069
- SSDEEP
  
  192:3Mi08s5GvuxBdzbNEQaSpqX5xS5haVWUcSAfMVIBizxhv:cdZxBhaHfSsA0V
Score

1^/10
behavioral19 behavioral20
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/NativeAOT/NativeAotLib/Security.cs
- Size
  
  1KB
- MD5
  
  212b6a6a38eb180c02ff23ae386830ec
- SHA1
  
  f80ff9bec8a123da0b3dae062abee5f216666794
- SHA256
  
  6a6bbc9121938f7fb613fb61313a9fea88258f0a9d8dbe75d592e18928bb5541
- SHA512
  
  77313eebe7e0a967254ccf1b4a9b6fecc789cb03319dcab6f6f500d3f0f1e60cd08ecc2f33d8281333c2e33421b391e43d0e41a8f0896ebfe5943907c720468f
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protectio Macros(Check Protection)/Rust/hello.rs
- Size
  
  730B
- MD5
  
  f531a993991b46659f6e8a9aea0e1080
- SHA1
  
  569c9e7f701b69569be1d3c90cd2e6e04b982fd5
- SHA256
  
  7dc08c77295abd41a19f385c6d55ad9c938745ff0bce55dedc2394df38c9b2bb
- SHA512
  
  fde9e5409788ebadbafe485f11435b8f53b470688f726e1a7a751c1cd8054c68dc779b9ba5ca45d8c4c715a63353f42f493a3a7efd33932723e752ab1e610a1a
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protection Macros/C/CBuilder/Project1.cpp
- Size
  
  1KB
- MD5
  
  93b812faa14fc235204acc81cb6256c3
- SHA1
  
  c8a2907eb28940efaeb3e3aaf5816f85edc0c419
- SHA256
  
  8ef2ed5bdd6c0172b53ba70b31481e0209d51c0cb6d67871642371c5638ac672
- SHA512
  
  804983cc99118e8c609d1f0177ab77b835247640cc75b4d9f6a44094fb7eddce1ff8aa76d7da8e85e92bc6d7072e424b109ef11fd0dffacf40f16f06d39e8f87
Score

3^/10

execution
behavioral25 behavioral26
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protection Macros/NativeAOT/ConsoleWrapper/ExternalDependencies/NativeAotLib.dll
- Size
  
  15KB
- MD5
  
  3d189c2be81b3f0cb3262f19b87875ec
- SHA1
  
  01b6432d574d1ac35ae8974b7e5c9a69d47b4e94
- SHA256
  
  e7af13ad2eaa3a6de649c55bbc8fe3aa7b941491ac59341c1ce769af5464cc5a
- SHA512
  
  2faa4746905d1e671eb305ad5cab1389eca8bcf5ab6ecee4a3056558b6daa013e5e27faa6339f0cabca26ede434a0506af85fe638f7c798110e326c11629aaaf
- SSDEEP
  
  192:sYvSTOnEXuTBIGB6MxALlKxGd6wjo5NjLVLNgJFbnc:DaQV95AUGd6w+NYU
Score

1^/10
behavioral27 behavioral28
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protection Macros/NativeAOT/ConsoleWrapper/ExternalDependencies/SecureEngineSDK64.dll
- Size
  
  28KB
- MD5
  
  6d8722b257230e3f691197715ec2b4b1
- SHA1
  
  bf141f3aff5b5e1cd2f02a5d81125931ba4a842d
- SHA256
  
  175a75ca524b269b25fb5144dc0abb4ac9b1673852df3abfbd4f6c449e01827d
- SHA512
  
  b6d077c57780ab6d58649cee36a1016573adfcafcfa8c823297a19f8bb1d1ea0c1b613044076bcd805a0c18dc37a78208ebaa4d0e19c192b65415028355f1069
- SSDEEP
  
  192:3Mi08s5GvuxBdzbNEQaSpqX5xS5haVWUcSAfMVIBizxhv:cdZxBhaHfSsA0V
Score

1^/10
behavioral29 behavioral30
- Target
  
  Themida.v.3.1.8.0/ThemidaSDK/ExamplesSDK/Protection Macros/NativeAOT/ConsoleWrapper/Program.cs
- Size
  
  758B
- MD5
  
  046244903b44ea02a1196737870209b1
- SHA1
  
  19066c1da0133905e573937e36e16e890c92a117
- SHA256
  
  ef3f5327bae6194d0d9dcce76bcf057c56ceacda93d708fe597f8513586e2efd
- SHA512
  
  18e4084c1df308f5887a458a3741426b45c5e8266489636487a89a323d61273b4b3909a5ab85861ffaa6ecffee15977574c96a07c61a8a205a4b83c8a2bec487
Score

3^/10

execution
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32