General
-
Target
iRemove Tools.exe
-
Size
154.0MB
-
Sample
241230-zxal1aymem
-
MD5
3042e6e4971114abf454620afe379f5d
-
SHA1
eccc2f78cd29ac89d7e9ef453a99198033c200b8
-
SHA256
acdff3cac69f86eedce04ff8bdb50bb9596f2f7a4c64501bba9e966800cd3633
-
SHA512
c4604ba5e51f891ae065743ef02af04ab1e235b15a4babee6d4441abe05993f7f9e6e1807a0b9c6e28890194fc34a12b24124934a1d25c2ec7502f18aefadf48
-
SSDEEP
3145728:KU0FbO0A8vlMEvPd+S2NrGvCIsi+zQLHArrixDKbOK3P5De0/wDe0/0XUmK:d8bA4ltqNoCIX/CbaYBDe04De0SU7
Static task
static1
Behavioral task
behavioral1
Sample
iRemove Tools.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
iRemove Tools.exe
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
iRemove Tools.exe
-
Size
154.0MB
-
MD5
3042e6e4971114abf454620afe379f5d
-
SHA1
eccc2f78cd29ac89d7e9ef453a99198033c200b8
-
SHA256
acdff3cac69f86eedce04ff8bdb50bb9596f2f7a4c64501bba9e966800cd3633
-
SHA512
c4604ba5e51f891ae065743ef02af04ab1e235b15a4babee6d4441abe05993f7f9e6e1807a0b9c6e28890194fc34a12b24124934a1d25c2ec7502f18aefadf48
-
SSDEEP
3145728:KU0FbO0A8vlMEvPd+S2NrGvCIsi+zQLHArrixDKbOK3P5De0/wDe0/0XUmK:d8bA4ltqNoCIX/CbaYBDe04De0SU7
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Manipulates Digital Signatures
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Access Token Manipulation
1Create Process with Token
1Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Subvert Trust Controls
2Install Root Certificate
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1