Extracted

• • Target

    SherenVPN-x64-6-1-6.exe

  • Size

    4.2MB

  • MD5

    4022690847251ec50dfef8a36991829c

  • SHA1

    8bce1444ea17969f21f8c5ed91f1fc5752af1c4a

  • SHA256

    ae45484a1881d55afae4952224c4a8352e1163a9fb57d095431711e5dccdcd18

  • SHA512

    1e874a44b9918a7661868a74d3c16c6eb750304bacebf72ae393800ff72217f7c47c9311c16ec0088ba03c0a4485b2bd431a9c603935d677e7edfee893d366c2

  • SSDEEP

    98304:uxHXs+8aetFyiI7pt4bKvAvIr4cv4D3VFXPn+zKaw:usXCf4bZv84cgxFfn+zKP

  Score

  10^/10

  netsupportdefense_evasiondiscoveryexecutionratthemidatrojan

  • NetSupport

    NetSupport is a remote access tool sold as a legitimate system administration software.

    ratnetsupport

  • Netsupport family

    netsupport

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    defense_evasion

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Checks whether UAC is enabled

    defense_evasiontrojan

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2