thanos | 4a09528f4ab9eddacb1944e3c2fae6f24cb37c267f7c9360b494c5edfc62365b

General

Target

JRKGaming
Size

171KB
Sample

250409-jqez5stzct
MD5

b7724bd9acf1f31e191a557939d57c26
SHA1

4f9814293decf0fc6b53e477b683e9c280085b02
SHA256

4a09528f4ab9eddacb1944e3c2fae6f24cb37c267f7c9360b494c5edfc62365b
SHA512

66cf31adeaba3acec45e38e1cd1c27e11f36893773cb43ba647c613d7973434631ab954a5aaa0f04c5ab49de60fcbd812d098d396813ad7ed45de8d4b615ab6c
SSDEEP

3072:16zq3FoSJQkHZIWNDEZJ3hmhDj7QOUCxq1XB5CkGHSvsuWDp8c/saqk3V97xZDIc:W9BsDp8c/saqk3V97HILqgIDSF5IQ9x8

Score

10^/10

Malware Config

Targets

- Target
  
  JRKGaming
- Size
  
  171KB
- MD5
  
  b7724bd9acf1f31e191a557939d57c26
- SHA1
  
  4f9814293decf0fc6b53e477b683e9c280085b02
- SHA256
  
  4a09528f4ab9eddacb1944e3c2fae6f24cb37c267f7c9360b494c5edfc62365b
- SHA512
  
  66cf31adeaba3acec45e38e1cd1c27e11f36893773cb43ba647c613d7973434631ab954a5aaa0f04c5ab49de60fcbd812d098d396813ad7ed45de8d4b615ab6c
- SSDEEP
  
  3072:16zq3FoSJQkHZIWNDEZJ3hmhDj7QOUCxq1XB5CkGHSvsuWDp8c/saqk3V97xZDIc:W9BsDp8c/saqk3V97HILqgIDSF5IQ9x8
Score

10^/10

thanos defense_evasion discovery evasion execution impact pyinstaller ransomware trojan
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Disables service(s)
  defense_evasion execution
- Modifies Windows Defender DisableAntiSpyware settings
  evasion trojan
- Modifies Windows Defender Real-time Protection settings
  defense_evasion trojan
- Modifies Windows Defender TamperProtection settings
  evasion trojan
- Thanos Ransomware
  Ransomware-as-a-service (RaaS) sold through underground forums.
  ransomware thanos
- Thanos executable
- Thanos family
  thanos
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (51) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Blocklisted process makes network request
- Downloads MZ/PE file
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Network Service Discovery
  Attempt to gather information on host's network.
  discovery
behavioral1