allcome | 37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402

General

Target

37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe
Size

7.1MB
MD5

aa9aeef0c7f798b7a2304a36f019a4d5
SHA1

53e215bae2435c8d513dc05e4b759b432b732b37
SHA256

37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402
SHA512

01cb47ed8569519ee56b30c81baceef5ffb6c5278caff6cf0eb8024dd7dd06a609274a827fdd79d028462f22793ef6f3d79f0b3eed1aa4053a190edbb7e4e014
SSDEEP

196608:qjThv/HxOgwX5aTCjgegUseCu55hArH1u7VNRWiM:qjlHID5AogeEe/Hh8HA7EiM

Score

10^/10

allcome evasion stealer themida trojan

Malware Config

Extracted

Family

allcome

C2

http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/API/2/configure.php?cf6zrlhn=finarnw

Wallets

D5c27bWU8dvgdayPUMzKbc75CmsD9aUSDw

r4RkKWPKszhkZVTtXGBDNyrzcDPjpcnGNp

0xC4b495c6ef4B61d5757a1e78dE22edC315867C84

XshLZA5C9odmaiEfopX5DYvwMbnM4hqCME

TT7mceJ6BNhTPFqpaBy1ND1CWGwaGeqhpx

t1MrxfTEGEZioK7qjcDd48KVC5BMk7ccH8B

GCM62OODIUXHYPTVUZT2W4GKPIO7YMLZDNPR4NGUWLBU7KPOU7Q7E44X

48Zvk6W9kfXik8CEscQYjEZdDCVZtXNEGdjczTR4XD9SKfLWkirntGLR7UyhD7aas3C2N3QefcdB4gyLZt93CrmtP5WAeqJ

qz448vxrv9y6lsy0l4y6x98gylykleumxqnqs7fkn6

1AvqxpSfuNooDv2gn8rFNXiWP64bn7m8xa

0x7374d06666974119Fb6C8c1F10D4Ab7eCB724Fcd

LKcXMo6X6jGyk9o9phn4YvYUQ8QVR4wJgo

ronin:bb375c985bc63d448b3bc14cda06b2866f75e342

+79889916188

MJfnNkoXewo8QB5iu9dee2exwdavDxWRLC

ltc1q309prv3k8lc9gqd062eevjvxmkgyv00xe3m6jg

3Gs18Dq8SNrs3kLQdrpUFHa2yX8uD9ZXR7

bc1qhcynpwvj6lvdh393ph8tesk0mljsc6z3y40h2m

Signatures

Allcome
A clipbanker that supports stealing different cryptocurrency wallets and payment forms.
stealer allcome

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2468-134-0x0000000000240000-0x0000000000960000-memory.dmp	themida
behavioral1/memory/2468-135-0x0000000000240000-0x0000000000960000-memory.dmp	themida
behavioral1/memory/2468-152-0x0000000000240000-0x0000000000960000-memory.dmp	themida
behavioral1/memory/4120-155-0x0000000000240000-0x0000000000960000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2468 set thread context of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2192	4120	WerFault.exe	91
4008	4120	WerFault.exe	91

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe
2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe
2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91
PID 2468 wrote to memory of 4120	2468	37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe	91

C:\Users\Admin\AppData\Local\Temp\37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe
"C:\Users\Admin\AppData\Local\Temp\37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Users\Admin\AppData\Local\Temp\37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe
  "C:\Users\Admin\AppData\Local\Temp\37611974a3ee8ab0a2a0849f4421ed44e3b51ee3fb7a24e12111340c9ec15402.exe"
  2⤵
  PID:4120
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 436
    3⤵
    - Program crash
    PID:2192
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 440
    3⤵
    - Program crash
    PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4120 -ip 4120
1⤵
PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4120 -ip 4120
1⤵
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2468-152-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download
memory/2468-137-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/2468-132-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download
memory/2468-136-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/2468-140-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download
memory/2468-138-0x00000000064C0000-0x0000000006A64000-memory.dmp

Filesize
5.6MB

Download
memory/2468-139-0x00000000060F0000-0x00000000060FA000-memory.dmp

Filesize
40KB

Download
memory/2468-134-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download
memory/2468-135-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download
memory/4120-143-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/4120-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4120-147-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/4120-151-0x0000000000210000-0x0000000000233000-memory.dmp

Filesize
140KB

Download
memory/4120-153-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download
memory/4120-154-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download
memory/4120-155-0x0000000000240000-0x0000000000960000-memory.dmp

Filesize
7.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads