General

  • Target

    RoninTweaksCLI.bat

  • Size

    20.4MB

  • Sample

    250112-bf9g1axres

  • MD5

    97677e95c911e9d50ed31116686f623e

  • SHA1

    569153701ca741b98e6d3bc60f88866d40c87ba4

  • SHA256

    a453512cf45c3d69400c96fb2d4fde739e101a71d3a9e57fb488634cfba1a119

  • SHA512

    0dd60ca16d724a978a8afe70f020659f24cade852ebb6cc1f0b5fdd140ec05aef4649eb8442fb9cb1861eaf3c86ca88213115d590c1233e53d3d39682d70e5ed

  • SSDEEP

    393216:MuktptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6ya:0tDGL7p8dai06KRq6RSH6ya

Malware Config

Targets

    • Target

      RoninTweaksCLI.bat

    • Size

      20.4MB

    • MD5

      97677e95c911e9d50ed31116686f623e

    • SHA1

      569153701ca741b98e6d3bc60f88866d40c87ba4

    • SHA256

      a453512cf45c3d69400c96fb2d4fde739e101a71d3a9e57fb488634cfba1a119

    • SHA512

      0dd60ca16d724a978a8afe70f020659f24cade852ebb6cc1f0b5fdd140ec05aef4649eb8442fb9cb1861eaf3c86ca88213115d590c1233e53d3d39682d70e5ed

    • SSDEEP

      393216:MuktptnIVZd7p9mdLt/WVi0teZKwnOEGL26VjSQS6ya:0tDGL7p8dai06KRq6RSH6ya

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks