Overview

overview

8

Static

static

ganboyz_shells.exe

windows7_x64

8

ganboyz_shells.exe

windows10_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ganboyz_shells.rar

  • Size

    489KB

  • Sample

    210222-zwcle18xa6

  • MD5

    d55a245b05ff10db710cfc25fd9cdf7f

  • SHA1

    50ba4c2858d8e4e68257bc468e0e42d7898f83d9

  • SHA256

    e1f0f8fafbfa2376d719f8968ed0415512595261c3e7799082987be10e02bdc6

  • SHA512

    c372d6e6f35eb0a4daf68a06eb30545c5ad803fa2ee43f8d049cebfc60fcc963ea0143d880f183ff541d6606bb448fa59cf1ccba88c05025bad6fb7ebf31fe55

Score
8/10
spywarevmprotect

Malware Config

Targets

    • Target

      ganboyz_shells.exe

    • Size

      770KB

    • MD5

      48730d2dd083d21181f6be14ea2c9e94

    • SHA1

      d39de3ad92db0b862cca7f6caaa3d27214f4a5dc

    • SHA256

      383577fee24fe1e68c454f65c436cd1bb64cb347fbe9a4a873730de9ff60c82f

    • SHA512

      080eb7a9196dcd3d8deb18a21d11263dad1a7b38527cbad5e7b8fbed01c8681f24bf2deee0f6bd0c49354f6de3dda750edede9dfcc1d02b21656e3f3fa0ec315

    Score
    8/10
    spywarevmprotect

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks