Overview

overview

10

Static

static

7

AudioCapture.dll

windows7-x64

3

AudioCapture.dll

windows10-2004-x64

3

PCICHEK.dll

windows7-x64

3

PCICHEK.dll

windows10-2004-x64

3

PCICL32.dll

windows7-x64

9

PCICL32.dll

windows10-2004-x64

9

TCCTL32.dll

windows7-x64

3

TCCTL32.dll

windows10-2004-x64

3

client32.exe

windows7-x64

10

client32.exe

windows10-2004-x64

10

htctl32.dll

windows7-x64

3

htctl32.dll

windows10-2004-x64

3

msvcr100.dll

windows7-x64

3

msvcr100.dll

windows10-2004-x64

3

onedrive.lnk

windows7-x64

3

onedrive.lnk

windows10-2004-x64

3

pcicapi.dll

windows7-x64

3

pcicapi.dll

windows10-2004-x64

3

remcmdstub.exe

windows7-x64

3

remcmdstub.exe

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e83baf4288ca1bc2b65da0ccb7a04063a8f227b3eddc4a0080fedfb5396d505d.zip

  • Size

    5.2MB

  • Sample

    250322-erjbqs1py6

  • MD5

    aa36db3bb9531cd9aed43833a3bcf293

  • SHA1

    77987f17cd688cbad115224973ec86eb37c8c60c

  • SHA256

    e83baf4288ca1bc2b65da0ccb7a04063a8f227b3eddc4a0080fedfb5396d505d

  • SHA512

    696b5be68439783944ffa053d3bb7da5dfd13436219a41b5e1643384fec67c52963ccbe45993847945861643bd62e9b4879359518ce731b84ffb6321fbacdaff

  • SSDEEP

    98304:+z1kquAFhjKuCZLUroz1MHkuqn5T3CIIlzjqObiT0nYsAK6:UkijKuC9Zck5n5T3dIlzjqObih

Score
10/10
netsupportdefense_evasiondiscoveryratthemidatrojan

Malware Config

Targets

    • Target

      AudioCapture.dll

    • Size

      80KB

    • MD5

      b24bac29892fcfd50a0ad0901f05f253

    • SHA1

      cba57b8656affa77fbd24358c27accb3817c89ef

    • SHA256

      49619a2100bf1f0108eea8e8d571b33a784d5c10e769b41225f497fd19ab1ace

    • SHA512

      e2e0a20309e4e488e47be12d4c7413e49aabcb4a833f7ab4a8191c1a3cf0579b3a68986f5691d1daaa17d701ad48d9ecf053a78366e66120b78310dc233a8bb5

    • SSDEEP

      1536:s6Y+3bZm8/vLk957pyPkD/bFRFpmPcW+gee/GjHdee/QjH9:s6Y+rQ8/Tk9Rp5zFpmPl+gefj9eljd

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      PCICHEK.DLL

    • Size

      31KB

    • MD5

      13661c770af0008be7b07b5e8727770d

    • SHA1

      614e73b424618c5171a69041eb85da9948c6600a

    • SHA256

      e4793d1de2aba7c1a6c9d5ee2c9dd7f77e6d72f795e3a6fee952cc01795eacd1

    • SHA512

      52d80ae4e01e909c074d8c934ce94ccd53da3fc0cebeea8aea48c6b3889c98101620a113298fa357a0f421742cc483dead3dd85b701252b070f565fe9b196ecc

    • SSDEEP

      768:l52mnrr2pe/GJvHDHf/ckApr2pe/GXHDHf/ckZ:rPnfee/4jHE1ee/6jH1

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      PCICL32.DLL

    • Size

      4.3MB

    • MD5

      38f5bda20188e0c8fc372686401c6b2f

    • SHA1

      791443697c65f150ed3faef0d20e6a5aff333d3f

    • SHA256

      f721ac18cfef4b6b6c6382481e8f0648fcb0875994889c3bbcad3d076c29733b

    • SHA512

      ac6a8ccbf7a1a1c48e53d4fed55af3b8ba1b6baff6b73be15def8d75a86b51e58345ad9500195278ecd21519458d471723342c3ada533a52d41c9800a9b66777

    • SSDEEP

      98304:ZF1cku6dhXOSs4sAB+juYzHXKBvbQftxx7ZT1z:5c18KLUTQlPZR

    Score
    9/10
    defense_evasiondiscoverythemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral5behavioral6

    • Target

      TCCTL32.DLL

    • Size

      459KB

    • MD5

      8b06b1712d744556a67b8b727280676d

    • SHA1

      635531af9084cc9d46a631e7fa57a75598e74051

    • SHA256

      c4a67983aada7bf78182766130d7f34bdb682bbba909d791c9dbf11e3311f304

    • SHA512

      0a5a7dd3f895d8cdc2a5d3e61241bf2b2ab11574a39d7faac52ef9c83b61c46d375164a1b9076ee864f436fa1a1fefe5345176ff2baba6ba11f955335229230a

    • SSDEEP

      12288:D+MEmCOirSwXCHVs5QroHNgstVJ9lf8Mu3qyPKLfco:D+MEp5IsV4Mu6yPKh

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      client32.exe

    • Size

      117KB

    • MD5

      394b5f9e94a82fd4f2934e4bbe4bc30e

    • SHA1

      6b8281f7b44b0c2c3a22ad14998b342e673f8c16

    • SHA256

      0501c9eedd74ed5e3112f5ddbd8d5d12098274d08605417a433a000822458183

    • SHA512

      0f4b84ba6e4da8364aea8c71f6255a9cfae7180735a347174c777c953588cfbe4e1f2d42a2b17bb84444f039793cff0b6fa92a024184dae8d2b844949ae07bdc

    • SSDEEP

      768:NfVZl6FhWr80/SqUr2pe/3N6HDHf/ckgGr2pe/k7HDHf/ckHgdV:N70hGaq0ee/30jHNee/IjHDgT

    Score
    10/10
    netsupportdefense_evasiondiscoveryratthemidatrojan

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Netsupport family

      netsupport

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      htctl32.dll

    • Size

      316KB

    • MD5

      051cdb6ac8e168d178e35489b6da4c74

    • SHA1

      38c171457d160f8a6f26baa668f5c302f6c29cd1

    • SHA256

      6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

    • SHA512

      602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

    • SSDEEP

      6144:WyspIr8g8imeKk9Fv8TamdF3xuHGAimnx30aaY5nFJl8NjzGrn0J/d3M1OGg:WyspIr8g8i191uzdwHGAimd0bY5FJl85

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      msvcr100.dll

    • Size

      755KB

    • MD5

      0e37fbfa79d349d672456923ec5fbbe3

    • SHA1

      4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

    • SHA256

      8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

    • SHA512

      2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

    • SSDEEP

      12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      onedrive.lnk

    • Size

      1KB

    • MD5

      b645868482618c15ed333b39a72ac60e

    • SHA1

      f2bf858e0014bc0e1a29ae531cba87f0e5895c5a

    • SHA256

      e66e9df50f40aa73dc847f6afdf9852000782841df6b808a75e090e9787604dd

    • SHA512

      24ad17f2f9165070f04a9979a804eeac6eb47c10b4f2d79bac4f8f245aee50abea5d3331098119fe1ed10640194d631cbd55cc8f97a55573cbe2c2052fd5fd62

    Score
    3/10
    behavioral15behavioral16

    • Target

      pcicapi.DLL

    • Size

      48KB

    • MD5

      a17e05bb6545453900dcaa2a5230359b

    • SHA1

      7c9de48aed728422e24ae9625a8f37e80f9c7b46

    • SHA256

      37744c725c88ded39e1fd4d664227bdc4fa01187dfbcc17d915600fe9956cb19

    • SHA512

      56acfa5693883a313a718e04e2aa32dce8e24d42f19a4a8097e5fd36157b56ee1fae45b636015145349ed1af2e068c95f9d15b6bc8b91834fcd63f71be2600ec

    • SSDEEP

      768:35GznfNnu0sbqmuebcTYCBU1wn+Pam8Arr2pe/PZD9HDHf/ckDr2pe/sOHDHf/cD:35GzfFDmmTYCtMawee/zjHjee/VjHa

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      remcmdstub.exe

    • Size

      75KB

    • MD5

      7ecac983d7765eb79af13cd9a129552c

    • SHA1

      1679a3e784b84b03476686df3ccf7033e39ad660

    • SHA256

      e7c60d56922400447afd30fab7e5ade310b263b4b0b76529e8946661d5392fb1

    • SHA512

      2d93988688b0f96695d1e66c15894722e9fde954da25f3d027a57daa38e284a174dfc65924acd6c395122725faf2addd2798cc2aea047017bc45cccad9eb7b5e

    • SSDEEP

      1536:efafvTuNOwphKuyUHTqYXHhrXH4LLIywmoEee/QjHpee/shjHD:4afLSpAFUzt0LLIywYeJjJeXjj

    Score
    3/10
    discovery
    behavioral19behavioral20

MITRE ATT&CK Enterprise v15

Tasks

static1

themida
Score
7/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

defense_evasiondiscoverythemidatrojan
Score
9/10

behavioral6

defense_evasiondiscoverythemidatrojan
Score
9/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

netsupportdefense_evasiondiscoveryratthemidatrojan
Score
10/10

behavioral10

netsupportdefense_evasiondiscoveryratthemidatrojan
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
3/10

behavioral14

discovery
Score
3/10

behavioral15

Score
3/10

behavioral16

Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10