Overview

overview

10

Static

static

7

AudioCapture.dll

windows7-x64

3

AudioCapture.dll

windows10-2004-x64

3

PCICHEK.dll

windows7-x64

3

PCICHEK.dll

windows10-2004-x64

3

PCICL32.dll

windows7-x64

9

PCICL32.dll

windows10-2004-x64

9

TCCTL32.dll

windows7-x64

3

TCCTL32.dll

windows10-2004-x64

3

client32.exe

windows7-x64

10

client32.exe

windows10-2004-x64

10

htctl32.dll

windows7-x64

3

htctl32.dll

windows10-2004-x64

3

msvcr100.dll

windows7-x64

3

msvcr100.dll

windows10-2004-x64

3

onedrive.lnk

windows7-x64

3

onedrive.lnk

windows10-2004-x64

3

pcicapi.dll

windows7-x64

3

pcicapi.dll

windows10-2004-x64

3

remcmdstub.exe

windows7-x64

3

remcmdstub.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a761508511850cd6e28bce353a5a1f02a1a739b36a3744dcf95b4082f76b2cd3.zip

  • Size

    5.2MB

  • Sample

    250322-d3csnaxtbs

  • MD5

    a846b7c7491eb94103f225df0475add2

  • SHA1

    74b4015a4fd63d614ff7ec921bfcc7233cdc6921

  • SHA256

    a761508511850cd6e28bce353a5a1f02a1a739b36a3744dcf95b4082f76b2cd3

  • SHA512

    148103e159590c2f23c845ef12eb67cf79134977dc56ab0e612e4eb25de46c5c01ad5616f4c96eb0a4f1ffac7fba21b6d7ad008f96f8c3a55dafafc121501e9c

  • SSDEEP

    98304:yYsAKYznmQxo7TpUjk6TvTnbdOpL5GwN8Yckaz1xljkaUzbQMOVxQJiT08:rztxoqjEVKbz1xlEbWaij

Score
10/10
netsupportdefense_evasiondiscoveryratthemidatrojan

Malware Config

Targets

    • Target

      AudioCapture.dll

    • Size

      80KB

    • MD5

      b24bac29892fcfd50a0ad0901f05f253

    • SHA1

      cba57b8656affa77fbd24358c27accb3817c89ef

    • SHA256

      49619a2100bf1f0108eea8e8d571b33a784d5c10e769b41225f497fd19ab1ace

    • SHA512

      e2e0a20309e4e488e47be12d4c7413e49aabcb4a833f7ab4a8191c1a3cf0579b3a68986f5691d1daaa17d701ad48d9ecf053a78366e66120b78310dc233a8bb5

    • SSDEEP

      1536:s6Y+3bZm8/vLk957pyPkD/bFRFpmPcW+gee/GjHdee/QjH9:s6Y+rQ8/Tk9Rp5zFpmPl+gefj9eljd

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      PCICHEK.DLL

    • Size

      31KB

    • MD5

      13661c770af0008be7b07b5e8727770d

    • SHA1

      614e73b424618c5171a69041eb85da9948c6600a

    • SHA256

      e4793d1de2aba7c1a6c9d5ee2c9dd7f77e6d72f795e3a6fee952cc01795eacd1

    • SHA512

      52d80ae4e01e909c074d8c934ce94ccd53da3fc0cebeea8aea48c6b3889c98101620a113298fa357a0f421742cc483dead3dd85b701252b070f565fe9b196ecc

    • SSDEEP

      768:l52mnrr2pe/GJvHDHf/ckApr2pe/GXHDHf/ckZ:rPnfee/4jHE1ee/6jH1

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      PCICL32.DLL

    • Size

      4.3MB

    • MD5

      6a8b46d540d96a991cfe141bd60b3def

    • SHA1

      6c8ced9543300fe447c1dd2a087bd2fa06e36b5a

    • SHA256

      666fe72e982876e732736b410cd0766a0c713293e38424f94f472486876e75a9

    • SHA512

      cd64f1557e3247bfe290b24ae61890dd5265ccdc1e7a9baa493eb32c75c80fbf7fdb118803b86b2b57151df4f96c28be4b1663adf2b6d1271dfbe36899fd164e

    • SSDEEP

      98304:UbnoAxfwBBnO2Yriq6QtwKPXiJSHe/EXhGGqaa8hlFCS:Ub/xfwBU2wBhPiw+cXhG3aau/V

    Score
    9/10
    defense_evasiondiscoverythemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      TCCTL32.DLL

    • Size

      459KB

    • MD5

      8b06b1712d744556a67b8b727280676d

    • SHA1

      635531af9084cc9d46a631e7fa57a75598e74051

    • SHA256

      c4a67983aada7bf78182766130d7f34bdb682bbba909d791c9dbf11e3311f304

    • SHA512

      0a5a7dd3f895d8cdc2a5d3e61241bf2b2ab11574a39d7faac52ef9c83b61c46d375164a1b9076ee864f436fa1a1fefe5345176ff2baba6ba11f955335229230a

    • SSDEEP

      12288:D+MEmCOirSwXCHVs5QroHNgstVJ9lf8Mu3qyPKLfco:D+MEp5IsV4Mu6yPKh

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      client32.exe

    • Size

      117KB

    • MD5

      a213fbe67e6393d56a9486fe9001d9b7

    • SHA1

      d4dbd3ad527350e4d0058086d042c214ce403218

    • SHA256

      1b297c236512972555a6a7575ef341b8872d65019dff8903ff2cae5a9053af9d

    • SHA512

      4e1b804fa87c0473faac022d2b205936cb547f2ecf83fb92c2a26ef30b2b626e793f9778a8d74ba4223d96327dd6ae94fb8a35aa44b85da2b4d37eb3ce279618

    • SSDEEP

      768:zfVZl6FhWr80/SqUr2pe/3NVHDHf/ckyGr2pe/kWHDHf/ckx:z70hGaq0ee/3HjHnee/FjHl

    Score
    10/10
    netsupportdefense_evasiondiscoveryratthemidatrojan

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Netsupport family

      netsupport

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      htctl32.dll

    • Size

      316KB

    • MD5

      051cdb6ac8e168d178e35489b6da4c74

    • SHA1

      38c171457d160f8a6f26baa668f5c302f6c29cd1

    • SHA256

      6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

    • SHA512

      602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

    • SSDEEP

      6144:WyspIr8g8imeKk9Fv8TamdF3xuHGAimnx30aaY5nFJl8NjzGrn0J/d3M1OGg:WyspIr8g8i191uzdwHGAimd0bY5FJl85

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      msvcr100.dll

    • Size

      755KB

    • MD5

      0e37fbfa79d349d672456923ec5fbbe3

    • SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    • SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    • SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    • SSDEEP

      12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      onedrive.lnk

    • Size

      1KB

    • MD5

      b645868482618c15ed333b39a72ac60e

    • SHA1

      f2bf858e0014bc0e1a29ae531cba87f0e5895c5a

    • SHA256

      e66e9df50f40aa73dc847f6afdf9852000782841df6b808a75e090e9787604dd

    • SHA512

      24ad17f2f9165070f04a9979a804eeac6eb47c10b4f2d79bac4f8f245aee50abea5d3331098119fe1ed10640194d631cbd55cc8f97a55573cbe2c2052fd5fd62

    Score
    3/10
    behavioral15behavioral16

    • Target

      pcicapi.DLL

    • Size

      48KB

    • MD5

      a17e05bb6545453900dcaa2a5230359b

    • SHA1

      7c9de48aed728422e24ae9625a8f37e80f9c7b46

    • SHA256

      37744c725c88ded39e1fd4d664227bdc4fa01187dfbcc17d915600fe9956cb19

    • SHA512

      56acfa5693883a313a718e04e2aa32dce8e24d42f19a4a8097e5fd36157b56ee1fae45b636015145349ed1af2e068c95f9d15b6bc8b91834fcd63f71be2600ec

    • SSDEEP

      768:35GznfNnu0sbqmuebcTYCBU1wn+Pam8Arr2pe/PZD9HDHf/ckDr2pe/sOHDHf/cD:35GzfFDmmTYCtMawee/zjHjee/VjHa

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      remcmdstub.exe

    • Size

      75KB

    • MD5

      bdb47866eff177c7184b968e0de3396a

    • SHA1

      0c7c4abf0aff4f09b4c64ba17ecb8d649980add6

    • SHA256

      73ed5f35c1acd4306f51b0bd9c57e31797b94d429d082fe5dd403d937a1a86e3

    • SHA512

      23b9443661f24cb428b429849aa96b3f56e3a53df7dd6a6aa35c12716e944f81d7582ef4e991ed1e1d377ec43a98ea80fb79d686bad71598b5cb6b08e286bbb7

    • SSDEEP

      1536:MfafvTuNOwphKuyUHTqYXHhrXH4LLIywmoEee/ejHcee/s8jHz:GafLSpAFUzt0LLIywYejj8eCjT

    Score
    3/10
    discovery
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

themida
Score
7/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

defense_evasiondiscoverythemidatrojan
Score
9/10

behavioral6

defense_evasiondiscoverythemidatrojan
Score
9/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

netsupportdefense_evasiondiscoveryratthemidatrojan
Score
10/10

behavioral10

netsupportdefense_evasiondiscoveryratthemidatrojan
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10