Overview

overview

10

Static

static

-warcraft-...I7.exe

windows7-x64

10

-warcraft-...I7.exe

windows10-2004-x64

10

.............exe

windows7-x64

7

.............exe

windows10-2004-x64

10

Warcracft ...up.exe

windows7-x64

7

Warcracft ...up.exe

windows10-2004-x64

1

Warcracft ...up.exe

windows7-x64

7

Warcracft ...up.exe

windows10-2004-x64

7

Resubmissions

03-08-2023 07:22

230803-h7h8fsbh93 8

24-10-2022 20:50

221024-zmn2msaeen 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Warcracft III Reforged+Keygen+CD Keys.rar

  • Size

    30.2MB

  • Sample

    221024-zmn2msaeen

  • MD5

    03bf9239a1c35ef0f6f162180499167f

  • SHA1

    b1921d4747ed0ca08ecb31dda5b57079dcd6085d

  • SHA256

    3c806eec38fc8565c942fe0a79331bf3215989d494bb3d5fa8d8057dcef58e03

  • SHA512

    6cd7a438a05c940649e8202e392318905e5785a0476a10388aa62081cdca2de9d9ede2045fb6fbabd116ad7b785b10c4970d0536fea8f945c5510db27c346273

  • SSDEEP

    786432:eQaNznirxs9+seaiiI0Ppr91OLvHh99br84AEEuDW:eQSzB9+sPiD0Pn1Uvh99brhTDW

Score
10/10
redlinebirjnewantibank2discoveryevasionexploitinfostealerpersistencespywarestealertrojanupx

Malware Config

Extracted

Family

redline

Botnet

BirjNewAntibank2

C2

79.137.197.136:23532

Attributes
  • auth_value

    a4e87a0b1505745bcd9e72d045f1ba5c

Targets

    • Target

      -warcraft-tft-keygen-F82Z5I7.exe

    • Size

      9.5MB

    • MD5

      a959e89b1669d9657223e0708e60edca

    • SHA1

      5e6113b81512f75f7138994a72e7d1152ebbab05

    • SHA256

      fb3d286faee2cf6345988d4dd8c025688075e425a64c311439bed5d54461b0ab

    • SHA512

      bb183aede190f9886d18ee002ffaae6e66e485a4f8d0123887e37b622c63685f35f7beda400ea4118770491e962a48d401e29e9ed64f584e30b02df367702aba

    • SSDEEP

      196608:AW6aE7Lojzz2jXtfoZ08YKvF0n3mOr0ikl8UuYOOKDHoazb9keDC:OZ7Lszz2jX6ixKvF0n2Oo8wEDPkf

    Score
    10/10
    redlinediscoveryevasioninfostealerpersistencespywarestealertrojanbirjnewantibank2upx

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Windows security bypass

      evasiontrojan

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Drops desktop.ini file(s)

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      .............exe

    • Size

      3.9MB

    • MD5

      1c9d03acc5ce4d1565e01418e2892087

    • SHA1

      345be215d0017d06a3934150105389730038fa69

    • SHA256

      bdb03d50cba10bbbaea2409521c515d15f3e674e6ccabbadfec319bdc08cd1ea

    • SHA512

      1442ad0b3af4fddc1c6980426a25f6d2c4b033902b8cc42596ad0077385ca3d56e4fed4517a61fe4d5b5b185b34030196ac9c5dcc61d93fd48292aed2b7998e8

    • SSDEEP

      49152:gnHn5pXUXb6c9YuoHjAbDiYFpIDckO4iNQxgei6HQR9sXafgkDFMVR9C1UhPJXMS:45pEXOc9AH8FpQrDgeJrBiCV2HXq

    Score
    10/10
    spywarestealerdiscoveryexploitpersistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Creates new service(s)

      persistence

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Possible privilege escalation attempt

      exploit

    • Registers COM server for autorun

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral3behavioral4

    • Target

      Warcracft III Reforged/StarCraft-Setup.exe

    • Size

      4.8MB

    • MD5

      0f66a5bbb9a1e750d98c9529d0a5f7d4

    • SHA1

      6d6ae5c4096c03a83e97f290ec5bbc55753b9ba7

    • SHA256

      527111caf8051bff0e019113faf2258b2fe5b8b7dae0e93b68d20d04ed19995a

    • SHA512

      331ea370cddeb2942ab3756338c74ad3ea988c5d1df840fa0e5ad94a08066a5d2c28a98ab0a1a7841f00850eacddce31e4f7871e96002f69d080e0c4668746b7

    • SSDEEP

      98304:djp5CzCWby2H8sh8nIKWc9fDmuqMR1GNe/GXh:r52r0fSuqHX

    Score
    7/10

    • Loads dropped DLL

    behavioral5behavioral6

    • Target

      Warcracft III Reforged/Warcraft III Reforged™ Setup.exe

    • Size

      10.6MB

    • MD5

      69ed233958e8c23382060102217b22d4

    • SHA1

      5084e3104dd3da0b3614aba1e2d7c1357a9dcc14

    • SHA256

      fcd4dd0cd7f49f879cb94cdb263af2ab149e1b817ce59b10a13db9f338f47cfa

    • SHA512

      5e157735442f1ed596a7faeea66ee5e5cd2f1546a036962f7d349e71196810fa07ff3201113a9f90db8878272099ab05d5e2be88efa0470e982c238bf382c272

    • SSDEEP

      196608:wuDdEGOylRlbMN34CJAk6t5/ooYzxVAruqZY/5slZSFOW6sqgCkujAnZZ:wqdxOqJQ4Xk6tivzzYNq5slcOBsbyjAf

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

New Service

1
T1050

Privilege Escalation

Scheduled Task

1
T1053

New Service

1
T1050

Defense Evasion

Modify Registry

7
T1112

Disabling Security Tools

2
T1089

Install Root Certificate

2
T1130

File Permissions Modification

1
T1222

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

9
T1012

System Information Discovery

10
T1082

Remote System Discovery

2
T1018

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Tasks