87fac13aa541cb7ef3b3a40148b278cef1ca511318ef66de56b172573692a49d | Triage

Submit
Reports

Overview

overview

9

Static

static

3

CraxsRat V...ru.exe

windows7-x64

8

CraxsRat V...ru.exe

windows10-2004-x64

9

Resubmissions

29/12/2024, 18:44

241229-xdt57avqew 8

30/11/2024, 21:20

241130-z6wwlavrgz 9

24/01/2024, 19:00

240124-xntx6sgab6 9

Sharing

Copy URL Twitter E-mail

General

Target

CraxsRat V7.2 By Nibiru.exe
Size

263.1MB
Sample

241130-z6wwlavrgz
MD5

20afdefb9489a8fef1187a3dc7a61f08
SHA1

c4dbe7fb60dd9acbb8dc815ede0a159b46a24d6d
SHA256

87fac13aa541cb7ef3b3a40148b278cef1ca511318ef66de56b172573692a49d
SHA512

62ec666fa7dabbc5a915ffdbe5ea120deaeecd5e5fd8333e8ca63656bedc8cb9a8baeff992f72d0d04cce7538a735d3b8cd5c0ddc98941e77ec3736168165d2e
SSDEEP

6291456:8an+tTZRSy1f6m+YclGA3MY4K4XlN+VNF7G9Yd6qOvfiBun2e:8m+tNz1f6m+Yclt4XMNB0KLOIZe

Score

9^/10

agilenet discovery evasion execution persistence themida trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

CraxsRat V7.2 By Nibiru.exe

Resource

win7-20240903-en

discovery execution persistence

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

CraxsRat V7.2 By Nibiru.exe

Resource

win10v2004-20241007-en

agilenet discovery evasion execution persistence themida trojan

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Targets

- Target
  
  CraxsRat V7.2 By Nibiru.exe
- Size
  
  263.1MB
- MD5
  
  20afdefb9489a8fef1187a3dc7a61f08
- SHA1
  
  c4dbe7fb60dd9acbb8dc815ede0a159b46a24d6d
- SHA256
  
  87fac13aa541cb7ef3b3a40148b278cef1ca511318ef66de56b172573692a49d
- SHA512
  
  62ec666fa7dabbc5a915ffdbe5ea120deaeecd5e5fd8333e8ca63656bedc8cb9a8baeff992f72d0d04cce7538a735d3b8cd5c0ddc98941e77ec3736168165d2e
- SSDEEP
  
  6291456:8an+tTZRSy1f6m+YclGA3MY4K4XlN+VNF7G9Yd6qOvfiBun2e:8m+tNz1f6m+Yclt4XMNB0KLOIZe
Score

9^/10

discovery execution persistence agilenet evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecutionpersistence

behavioral2

agilenetdiscoveryevasionexecutionpersistencethemidatrojan

© 2018-2025

Terms | Privacy