Overview

overview

10

Static

static

1

Driver Eas...ck.exe

windows7-x64

Driver Eas...ck.exe

windows10-2004-x64

INSTRUCTIONS.url

windows7-x64

INSTRUCTIONS.url

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Driver Easy Pro Crack.zip

  • Size

    1.5MB

  • Sample

    230318-wk9zjsdb77

  • MD5

    534420721b0963ae04a5a043f409d25a

  • SHA1

    0a9db5a5b814eb86fd0b106b324c6ce693c748a3

  • SHA256

    8b57ba1b6222d9061bc7548874aa1a7dfc846e79b0c0d2b64dfb62900337ae1b

  • SHA512

    da2a370bb50fdee6f0783c1ceb9dd30482321ae1d8a83e4e8814cab1964af85ada694d329c2b13a38f0141a3c6d7913a05bcaea15ec3c2fd61c4b582c33b2176

  • SSDEEP

    24576:TAzIloOCbojRJ049RX4PO856Oo/lFTp453YGRfpAuta7CEiVDN2jL6:cDKVq49RUb56r/3TpQXxAVGXDE6

Score
10/10
gcleanerpseudomanuscryptraccooncf8e11f4b26a8b6523ebca1d025854f5evasionloaderpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://neutropharma.com/wp/wp-content/debug2.ps1

Extracted

Family

raccoon

Botnet

cf8e11f4b26a8b6523ebca1d025854f5

C2

http://109.234.39.45/

rc4.plain

Extracted

Family

gcleaner

C2

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Targets

    • Target

      Driver Easy Pro Crack.exe

    • Size

      1.7MB

    • MD5

      004c3aa112c49b35f9cafc4e2ba164e8

    • SHA1

      cfcd2539fc5edfb8d36877d082ec65e6f918814c

    • SHA256

      af03c1abaef7a6da4aedc600e8b92bf82fca6ae4b9c1efc628caf5d0f21acb37

    • SHA512

      b6f0003e295583337f80f6611db21caa1c3b5345117fab42f952b87f5bac0ec45c7ef6d72f8f75d183444e0640b4a1a84b636af5ab6a8cdfdbfa0e39cc684e98

    • SSDEEP

      24576:dJr8tE+AIWnUuzbkCEIz4Kvb/bIVYjmOIvm0ZDzMYxSGcDqhSALxG1yNtVPDc3IC:dJ4gFsMv/IIv0ZDgYQvDD+5PDcY07

    Score
    10/10
    gcleanerpseudomanuscryptraccooncf8e11f4b26a8b6523ebca1d025854f5evasionloaderpersistencestealertrojanspyware

    • Detects PseudoManuscrypt payload

      loader

    • GCleaner

      GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.

      loadergcleaner

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PseudoManuscrypt

      PseudoManuscrypt is a malware Lazarus’s Manuscrypt targeting government organizations and ICS.

      loaderpseudomanuscrypt

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

      stealerraccoon

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Windows security bypass

      evasiontrojan

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Sets DLL path for service in the registry

      persistence

    • Sets service image path in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      INSTRUCTIONS.url

    • Size

      130B

    • MD5

      d6243a727322924914fb86362ba8d8f5

    • SHA1

      e4b33f5ed4c3e49567bc0aa558fa44fa04b19af4

    • SHA256

      50058400d54c609fe44cc936c76dd56261a80f1e7bccb57ba7aa149199aa542a

    • SHA512

      583c4e87627d8030a64801056e303bb5186ae2c7945818b517facc00652672be5a268a415e333e1a2b388bc76efa0638c8412eb0e435fecd77a60edd0b5aa892

    Score
    6/10
    evasiontrojan
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

1
T1089

Modify Registry

5
T1112

Scripting

1
T1064

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

6
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks