General

  • Target

    BTRSetp.exe

  • Size

    258KB

  • Sample

    210306-69e2b9g6sj

  • MD5

    1165ce455c6ff9ad6c27e49a8094b069

  • SHA1

    3ba061200d28f39ce95a2d493d26c8eb54160e85

  • SHA256

    c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

  • SHA512

    dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

Malware Config

Targets

    • Target

      BTRSetp.exe

    • Size

      258KB

    • MD5

      1165ce455c6ff9ad6c27e49a8094b069

    • SHA1

      3ba061200d28f39ce95a2d493d26c8eb54160e85

    • SHA256

      c089f4a7b15f47edfe5c4748b2f34e8962bf115e6980355d67036be35c982eb1

    • SHA512

      dfa4109f3c0a6368c309ccfa0449823ad6388d122f9161e78044b48890126e26a1cfc36666f20b9800ac3ac6ced02c1132b40bb9131f5d6a5685ad5ec5a529a4

    • ElysiumStealer

      ElysiumStealer (previously known as ZeromaxStealer) is an info stealer that can steal login credentials for various accounts.

    • ElysiumStealer Payload

    • ElysiumStealer Support DLL

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • XMRig Miner Payload

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • themida

      Detects Themida, Advanced Windows software protection system.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

2
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks