Overview

overview

9

Static

static

7

release/ma...at.exe

windows10-1703-x64

9

release/ma...er.exe

windows10-1703-x64

9

release/map/map.exe

windows10-1703-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    release-1.rar

  • Size

    11.5MB

  • Sample

    240702-da42faxajq

  • MD5

    2193b6604f588f357d740a18bdab44f4

  • SHA1

    76f47e39d4f2519c2cf0286f32f6dbe6750058c1

  • SHA256

    16c7a73b769a3cd125d7954c8a2f9e00899b24d1ff8141e7f4ccb4e57119bac1

  • SHA512

    cd681225749e199689369aed7a3beb96cd7137a9d052a9b7d753d61906b4187da5696364d31b37b5d2453ae344b6fb5c7fc872a1ac9e43b20a3442a30bdbb193

  • SSDEEP

    196608:viS/BJrAwImyJd7fRMEef/KIMxAvGUFi0gpuKLoqizxw139o3IVTiypXyGF:vigrAdmATje3DAA+UA0gxLonzm9o3IB5

Score
9/10
evasionpersistencethemidatrojan

Malware Config

Targets

    • Target

      release/main/cheat.exe

    • Size

      4.1MB

    • MD5

      3b821f77818bf6529d9b85af041f28bd

    • SHA1

      a9782ab905e4540f1a1e38663cf22807505ffbe5

    • SHA256

      56d0dfd1dde9cb0a196fc881c05ab7ef4a1d769145e2d2e24242426a935bc649

    • SHA512

      b0f50ebdc50d1c4452bf8e7aab1a7b88eaf948dbdcca230f6257663f9f91ffd413432a88c5eeed7871e0a18e9ef37219f5176939f3350a5dfc377c83d0c77a4f

    • SSDEEP

      98304:oUXr5eFWXgNcV+TTqth4ci1ss30nI2yCrdA8+quSThpD46NtCMmD:VrIFWUcVYY6r3l251+quSThl9pi

    Score
    9/10
    evasionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

    • Target

      release/main/loader.exe

    • Size

      4.1MB

    • MD5

      9ecdc9ed1bea6c226f92d740d43400b9

    • SHA1

      b5b5066cd4284733d8c3f3d7de3ca6653091ae10

    • SHA256

      60c57f14c2e0e0df0bda16646b21dddceaee0159dafbbb8daba310d4e1b5be6c

    • SHA512

      30bc705a2438288e3647d5adfc6119d751823970972b9c6b39a60384a2b7ac261986026b8d1c0b0ca7ee3d7e95363c97b873fdc5fad4096c903cb4e15bf57e43

    • SSDEEP

      98304:vnUGAC+hqc8lqvdzw2nsNKYYURyc9JirsN4JzmUPj:PTn2qcUzp6UYeJRCxPj

    Score
    9/10
    evasionthemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral2

    • Target

      release/map/map.exe

    • Size

      3.3MB

    • MD5

      a5a681b19458d693464f24f0d22d7b32

    • SHA1

      10b9edb6e510ee582815b3779064698ed9e90db8

    • SHA256

      04a72e5f734b6d97c78477d82b1bd24d45e47769b98d908920265a01bbde2d37

    • SHA512

      e27f08721444474d7f37e45b6636f71cd5e9823ab197b6665f5c48106f8f84ec57bd5f1e953a3c2d0200ae0f9e80b72a261444bea6e828a62cd0b44bf128ab31

    • SSDEEP

      98304:GyVbJ5frOxTN0fAptwDUB+psfprlsg/zG3lC:f2JN0fG6wgsxrqQzGVC

    Score
    9/10
    evasionpersistencethemidatrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Sets service image path in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral3

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

3
T1497

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

6
T1012

Virtualization/Sandbox Evasion

3
T1497

System Information Discovery

6
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks