Mini.Golf.Oid.Free.v3.16.1.crack.by.F4CG.zip

General
Target

Mini.Golf.Oid.Free.v3.16.1.crack.by.F4CG.zip

Size

4MB

Sample

210322-3e6l64pw2j

Score
10 /10
MD5

ba483b54a76a33ae69ab32bd87f891de

SHA1

3a3ac37c8cd00f73f4da2c415533f5210efb63fa

SHA256

f11ebf4382ecbd234874308ae3578a6041f7bd0c195658acd9ea65d366428b34

SHA512

01f79583e8a4eef655cf44425db2df807fd3973b779626950f01dba9c801e8335fec3349b67a2c1bdbec4d7cc6bf0af6128a624ac86b0791e2a1029dc0c9bfd7

Malware Config

Extracted

Language ps1
Deobfuscated
URLs
ps1.dropper

http://labsclub.com/welcome

Extracted

Family azorult
C2

http://kvaka.li/1210776429.php

Extracted

Family raccoon
Botnet c46f13f8aadc028907d65c627fd9163161661f6c
Attributes
url4cnc
https://telete.in/capibar
rc4.plain
rc4.plain

Extracted

Family raccoon
Botnet 2ce901d964b370c5ccda7e4d68354ba040db8218
Attributes
url4cnc
https://telete.in/tomarsjsmith3
rc4.plain
rc4.plain

Extracted

Family smokeloader
Version 2019
C2

http://10022020newfolder1002002131-service1002.space/

http://10022020newfolder1002002231-service1002.space/

http://10022020newfolder3100231-service1002.space/

http://10022020newfolder1002002431-service1002.space/

http://10022020newfolder1002002531-service1002.space/

http://10022020newfolder33417-01242510022020.space/

http://10022020test125831-service1002012510022020.space/

http://10022020test136831-service1002012510022020.space/

http://10022020test147831-service1002012510022020.space/

http://10022020test146831-service1002012510022020.space/

http://10022020test134831-service1002012510022020.space/

http://10022020est213531-service100201242510022020.ru/

http://10022020yes1t3481-service1002012510022020.ru/

http://10022020test13561-service1002012510022020.su/

http://10022020test14781-service1002012510022020.info/

http://10022020test13461-service1002012510022020.net/

http://10022020test15671-service1002012510022020.tech/

http://10022020test12671-service1002012510022020.online/

http://10022020utest1341-service1002012510022020.ru/

http://10022020uest71-service100201dom2510022020.ru/

http://10022020test61-service1002012510022020.website/

http://10022020test51-service1002012510022020.xyz/

http://10022020test41-service100201pro2510022020.ru/

http://10022020yest31-service100201rus2510022020.ru/

http://10022020rest21-service1002012510022020.eu/

http://10022020test11-service1002012510022020.press/

http://10022020newfolder4561-service1002012510022020.ru/

http://10022020rustest213-service1002012510022020.ru/

http://10022020test281-service1002012510022020.ru/

http://10022020test261-service1002012510022020.space/

http://10022020yomtest251-service1002012510022020.ru/

http://10022020yirtest231-service1002012510022020.ru/

rc4.i32
rc4.i32

Extracted

Family icedid
C2

house34vegas.uno

Extracted

Family metasploit
Version windows/single_exec

Extracted

Family raccoon
Botnet afefd33a49c7cbd55d417545269920f24c85aa37
Attributes
url4cnc
https://telete.in/jagressor_kz
rc4.plain
rc4.plain

Extracted

Family danabot
Version 1765
C2

192.161.48.5:443

23.106.123.117:443

192.236.146.203:443

193.34.167.88:443

rsa_pubkey.plain
rsa_pubkey.plain
Targets
Target

Mini.Golf.Oid.Free.v3.16.1.crack.by.F4CG.exe

MD5

da9944dd853f8cc9ebff16ee5efabb38

Filesize

4MB

Score
10 /10
SHA1

29f499c07a176247eef7dbbdaa68871f888e9514

SHA256

fd164eaaca210cc14c590968ff7cae1b8bd3c659454271ace1167513bcf51c98

SHA512

7b7ce5876d31aba315b1473068894ba338b1f0b7c02a2368115408c3f9322362834231a871fd25a7447c41dd86891e9c3504d06cae382b1885ce43c99081c2fc

Tags

Signatures

  • Azorult

    Description

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    Tags

  • CryptBot

    Description

    A C++ stealer distributed widely in bundle with other software.

    Tags

  • Danabot

    Description

    Danabot is a modular banking Trojan that has been linked with other malware.

    Tags

  • Glupteba

    Description

    Glupteba is a modular loader written in Golang with various components.

    Tags

  • Glupteba Payload

  • IcedID, BokBot

    Description

    IcedID is a banking trojan capable of stealing credentials.

    Tags

  • MetaSploit

    Description

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    Tags

  • PlugX

    Description

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    Tags

  • Pony,Fareit

    Description

    Pony is a Remote Access Trojan application that steals information.

    Tags

  • Raccoon

    Description

    Simple but powerful infostealer which was very active in 2019.

    Tags

  • RedLine

    Description

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    Tags

  • SmokeLoader

    Description

    Modular backdoor trojan in use since 2014.

    Tags

  • Suspicious use of NtCreateProcessExOtherParentProcess

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

    Tags

  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Checks for common network interception software

    Description

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    Tags

    TTPs

  • IcedID First Stage Loader

    Tags

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Modifies boot configuration data using bcdedit

  • Blocklisted process makes network request

  • Drops file in Drivers directory

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Modifies Windows Firewall

    Tags

    TTPs

    Modify Existing Service
  • Possible attempt to disable PatchGuard

    Description

    Rootkits can use kernel patching to embed themselves in an operating system.

    Tags

    TTPs

    Command-Line Interface
  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • UPX packed file

    Description

    Detects executables packed with UPX/modified UPX open source packer.

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Reads data files stored by FTP clients

    Description

    Tries to access configuration files associated with programs like FileZilla.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads local data of messenger clients

    Description

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of local email clients

    Description

    Email clients store some user data on disk where infostealers will often target it.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Accesses 2FA software files, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Checks for any installed AV software in registry

    TTPs

    Security Software Discovery
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Drops Chrome extension

  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

Related Tasks