General

  • Target

    iRemove Tools.exe

  • Size

    154.0MB

  • Sample

    241230-zxal1aymem

  • MD5

    3042e6e4971114abf454620afe379f5d

  • SHA1

    eccc2f78cd29ac89d7e9ef453a99198033c200b8

  • SHA256

    acdff3cac69f86eedce04ff8bdb50bb9596f2f7a4c64501bba9e966800cd3633

  • SHA512

    c4604ba5e51f891ae065743ef02af04ab1e235b15a4babee6d4441abe05993f7f9e6e1807a0b9c6e28890194fc34a12b24124934a1d25c2ec7502f18aefadf48

  • SSDEEP

    3145728:KU0FbO0A8vlMEvPd+S2NrGvCIsi+zQLHArrixDKbOK3P5De0/wDe0/0XUmK:d8bA4ltqNoCIX/CbaYBDe04De0SU7

Malware Config

Targets

    • Target

      iRemove Tools.exe

    • Size

      154.0MB

    • MD5

      3042e6e4971114abf454620afe379f5d

    • SHA1

      eccc2f78cd29ac89d7e9ef453a99198033c200b8

    • SHA256

      acdff3cac69f86eedce04ff8bdb50bb9596f2f7a4c64501bba9e966800cd3633

    • SHA512

      c4604ba5e51f891ae065743ef02af04ab1e235b15a4babee6d4441abe05993f7f9e6e1807a0b9c6e28890194fc34a12b24124934a1d25c2ec7502f18aefadf48

    • SSDEEP

      3145728:KU0FbO0A8vlMEvPd+S2NrGvCIsi+zQLHArrixDKbOK3P5De0/wDe0/0XUmK:d8bA4ltqNoCIX/CbaYBDe04De0SU7

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Manipulates Digital Signatures

      Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks