2f0b8c5ea4e7923690e4c4424621c2f00cc40d3c62790a2389addc5ea8ba14a8

Sharing

Copy URL

Twitter E-mail

General

Target

GodMode9-v2.1.1-20220322194259.zip
Size

2.5MB
Sample

230401-s9rbysba39
MD5

b63528fb75da0e9e5ea042dd8608610a
SHA1

86357bf32d32aaab48d28d331a0798aa377ba258
SHA256

2f0b8c5ea4e7923690e4c4424621c2f00cc40d3c62790a2389addc5ea8ba14a8
SHA512

d6516e0afceaa02a658b0501b1a0a15b6275dab9d5036ba37569e39995c90011f8356bb1b01a5dec690ee267c4c605326d45a272698b21150b75b3b183a89a4a
SSDEEP

49152:qpkeq3BQEHQK2XdU1qb2gXebJymkktaibGHJ/MlCJ5ewJ3D7IM+39D:Skeqx9QLdUU6gXuymkkbMTB33p+3J

Score

10^/10

Malware Config

Targets

- Target
  
  GodMode9-v2.1.1-20220322194259.zip
- Size
  
  2.5MB
- MD5
  
  b63528fb75da0e9e5ea042dd8608610a
- SHA1
  
  86357bf32d32aaab48d28d331a0798aa377ba258
- SHA256
  
  2f0b8c5ea4e7923690e4c4424621c2f00cc40d3c62790a2389addc5ea8ba14a8
- SHA512
  
  d6516e0afceaa02a658b0501b1a0a15b6275dab9d5036ba37569e39995c90011f8356bb1b01a5dec690ee267c4c605326d45a272698b21150b75b3b183a89a4a
- SSDEEP
  
  49152:qpkeq3BQEHQK2XdU1qb2gXebJymkktaibGHJ/MlCJ5ewJ3D7IM+39D:Skeqx9QLdUU6gXuymkkbMTB33p+3J
Score

10^/10

discovery evasion persistence ransomware spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- UAC bypass
  evasion trojan
- Disables RegEdit via registry modification
  evasion
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Registers COM server for autorun
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Drops desktop.ini file(s)
- Legitimate hosting services abused for malware hosting/C2
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2
- Target
  
  GodMode9.firm
- Size
  
  448KB
- MD5
  
  e178318d5cf7ca96edcff7fa9b0b9936
- SHA1
  
  e0c61084a8aa421dee81f4e815f3d414fbaf67da
- SHA256
  
  e398dfa929582e12861a3e90d8e8f435e5deb1d7d27a4cd9dc13057f3a9173ec
- SHA512
  
  98a494da7da4bf8a487c640cf4fbb5b27f03bc0302becfd69431d1adedcd263552e86108fd6f1836e9a8af678de501ff3a9a7eb944b102f6436a677fb465aaa5
- SSDEEP
  
  12288:AiB7SvN1M/euF4c35pjRm1C3xKobiFqxPP1wpTpKSI:XBUv0b35kkK3FqxPP1K7
Score

3^/10
behavioral3 behavioral4
- Target
  
  GodMode9.firm.sha
- Size
  
  32B
- MD5
  
  1d01fd0b33402e5ff44edebe9bd58614
- SHA1
  
  16f90b74c587b40c57e378e9c9c6f75edd3a7fdb
- SHA256
  
  de7339b5b21862877008d60e7816c9b0fb6d45aa5b6acfb713e6b0283536cc17
- SHA512
  
  b8d845231b6eea4c18f24ae17abe57c4d4aa73e2829506b7bf68070e9cd71cd446f3b227105b223ad1538454250f548c4b75892250a65055cf4b969a57c6ae66
Score

8^/10

bootkit evasion persistence
- Disables Task Manager via registry modification
  evasion
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral5 behavioral6
- Target
  
  GodMode9_dev.firm
- Size
  
  448KB
- MD5
  
  23c0cdb57c54d803fe0ca838a4cff24a
- SHA1
  
  0520d7bb47cb3698536837af96dc71267712a578
- SHA256
  
  3ec182db894d7159ddaaa6cb68a61626fd014af06ca81633891626e9c356296a
- SHA512
  
  067c99569a3498cf73e400115cd9fd1a70e0cf839f5b7231e2dac1f0fff536e48847c8cca6ee212746b03ca33f1a560e2f49923f432067fc2a0179873592faa2
- SSDEEP
  
  12288:iiB7SvN1M/euF4c35pjRm1C3xKobiFqxPP1wpTpKSI:NBUv0b35kkK3FqxPP1K7
Score

3^/10
behavioral7 behavioral8
- Target
  
  GodMode9_dev.firm.sha
- Size
  
  32B
- MD5
  
  0083a4ca0c6c9563365ae589875808e7
- SHA1
  
  70f9d5aed9a5fc59138e27af281ab63642c818e9
- SHA256
  
  e5016cc97807aca8137c9e9f70c3e23f4305b4f14dd7d0603b3a852311f8833f
- SHA512
  
  433b60bd929b98962f70b38b965328a1c4822e4faf9bd5ad986f170a20239c79f8e925c49d4894a669fd6f44921d1f95bd32b1411ce2d7a5ffb8aafa442b4ce6
Score

3^/10
behavioral10 behavioral9
- Target
  
  README.md
- Size
  
  33KB
- MD5
  
  56d516a0b8b08c2c3ffc831cc1333150
- SHA1
  
  b0ddb188ec55d3ef4e95bcfa017d813581b5853c
- SHA256
  
  ee2c5bd769e09ea9550ac5a99067a4150de3b88741dda74a96cdf4951c337581
- SHA512
  
  001c3cac3094edfdb208b04f7320446da3cca3ba742e6a9873d1b2ee7a67144db033b5e71ef4a64dde44f5077bc8d3263e5ad57824290c0a2f23b38704097494
- SSDEEP
  
  384:IbZA6aciT2ygr91ckRrMm6993sp28SduGYIP5/oDMaGbIlj8gSSIFfPLGOhzhrt4:8bqnD8pIPVuG4QgohVhzhrSBIq43sL
Score

3^/10
behavioral11 behavioral12
- Target
  
  gm9/scripts/GM9Megascript.gm9
- Size
  
  64KB
- MD5
  
  5d71540b08e49fa853c1d907d33b0028
- SHA1
  
  743c462ae0df9975a10466bc019715b050c493c7
- SHA256
  
  ec6de66be12908f1504e42b27f74de4f874409cd98d5dc8c18c1d5e7ff415c17
- SHA512
  
  c3c34230d56ac751fdd3b01463a4bc51e97dc07ae20d0b60808dd5f0ae79405d078b8a1164bcb96ac28a5c6b9cd8443e563721fd1bf590ed91546361650ed61c
- SSDEEP
  
  1536:ZWCwM89wyFJBYG3LN5a4pjJOvBxMZifZyOKD+S:Z1wMtxMZi4
Score

1^/10
behavioral13 behavioral14
- Target
  
  gm9/scripts/NANDManager.gm9
- Size
  
  6KB
- MD5
  
  b6479f2cd61e2adae8816a5048e6c521
- SHA1
  
  a6f2989d765887f546a7880feaee7c1a6a9d1f63
- SHA256
  
  3000e146241e477588ee0566e40e987aa6f1f5e0d19e1bd152eb63d62dfb8c1e
- SHA512
  
  1a33eb5acc926a0da9c54ba2470b61154bba1b23f5aca247bfcd93160dbd2306eaeeec3be0a14d83ac024d665943821c68fdb8e26c35e1dedaae5b10c447ca11
- SSDEEP
  
  96:z5LUmITU2iXAwpaPa7606OfAl9JrZJhb4LK7IS2xaqwF:ztUm2U2iXhvSwA97nbG8t2V8
Score

3^/10
behavioral15 behavioral16
- Target
  
  ntrboot/GodMode9_ntr.firm
- Size
  
  522KB
- MD5
  
  8f61eb8dafe9e050be450be4cefab9ef
- SHA1
  
  1b155ce46d0dec3ff556c9060ce5d654ebb2212a
- SHA256
  
  1511e905f63e21f182d8c611eef8f409650d442e1c4c43df487576fe92316d86
- SHA512
  
  6abf7a7b61af57a4352d4651b161e2b000a7f7462ffd9d33bb13163fc1af4684800fb9c863da9a02f2a24eedc0f89396c1ed4d3211ce71956dcbb4b5bbf95c54
- SSDEEP
  
  12288:cKCzVEJiY3YpMVllfvg6x1QBfLPwVni3O4ylpqEMD:cK6VaiY3YGflf47MVn34ylpqEMD
Score

3^/10
behavioral17 behavioral18
- Target
  
  ntrboot/GodMode9_ntr.firm.sha
- Size
  
  32B
- MD5
  
  458675f53d327698cd7c0850b4bbba95
- SHA1
  
  ced5dd6f14a65ff5680c9b981865ee0eb6d82398
- SHA256
  
  299b011d7c2f839ddef0400e1e40fbe6321e03448655f1e5b9c97dc763f6d84c
- SHA512
  
  ee47c732c0a9abce39067b098b82177cfb35509129bb98229e87a6cf7f4f4f28f645a879c88f67a9f653a813a29b0403ca768198e7f8df05ae94834836c4d482
Score

3^/10
behavioral19 behavioral20
- Target
  
  ntrboot/GodMode9_ntr_dev.firm
- Size
  
  522KB
- MD5
  
  18ae8b01b5e0a2a43185f4092ec1ffd3
- SHA1
  
  afc83d466513dd293155b7f197a29ee54d63d8ba
- SHA256
  
  42e30b285db1ce2023aed1e9862994eff9c14b3f56a8e37c6de6f5aeeaa121a5
- SHA512
  
  620fe65f3d9623bd8b5fcadc71e384bed1f9cb93169e272031999557977b60f80ec8a1917d5e5e6e1002e374440f5854c2a35154310ac4bd08d62f2bf6923c43
- SSDEEP
  
  12288:JD8AKg32PhGQakewQMR3koxtLSdUtSo8Fg+gFhi2NiF3fpRuxH:tlx2PhJakewJ3D73YM+2hiHF3Xuh
Score

3^/10
behavioral21 behavioral22
- Target
  
  ntrboot/GodMode9_ntr_dev.firm.sha
- Size
  
  32B
- MD5
  
  69e33f756730d351f312182feadcf36e
- SHA1
  
  371287c9152c5193f0313c65cc9208b4e5c37652
- SHA256
  
  1c450fc4860528aff76159b4353f01d572205bc46a98735a67cac84be76c9420
- SHA512
  
  9ba894e0118c54ccb421620a89a2f63e2c40e356ee67516bb49bf63da8d10000f8c3ca6ca0fa8f18eaa9bd6a877593af336ddfa86323419ef99232cb27133ec3
Score

3^/10
behavioral23 behavioral24
- Target
  
  sample/HelloBranching.gm9
- Size
  
  7KB
- MD5
  
  f423d2e3850c2ac67b4ca08dd536320a
- SHA1
  
  24103d118d6104e1b82a6f6affad40fae163c80f
- SHA256
  
  7208a693bbd18203f1ab05f33a90a9c0577b2f4d1bd7ccaaab34d20213c5cef5
- SHA512
  
  63c32c4c48c12aac4403068388ea3236e47f1b88df0a76550cc4d044783bcaa68d36c0fab8c4553fab4a070a8b273670b418fdaf5028ae873bbe36e82e9adc9f
- SSDEEP
  
  96:0GjdVQHIEVCqDSctGAFWBoXSsQJjVw42EYEOaoZuVxfCo/QLxJ3GrCiNvn25wG7+:JjdfEMqpTkB9sANmEmCpCeQdJECiF2yZ
Score

1^/10
behavioral25 behavioral26
- Target
  
  sample/HelloScript.gm9
- Size
  
  15KB
- MD5
  
  aea0bd0a28b16f9aade0dc60470bc856
- SHA1
  
  b4d9c2331e92afc3bd31f0e344fc6abe5e453fe7
- SHA256
  
  e51cd1d080a21719ed5dd301dc5e2260090533992f42e0b36f0e53f65ac966e3
- SHA512
  
  532d3455c26ed9f4407be0f2d9288092b004ea8a2478cd10834e1928e70363fd4d5d3fabc3f8e48c418fe57dd0ba7210e09bf37bce289f5c87c1c729f2118ce4
- SSDEEP
  
  384:V2RWbmdR2oOgZ5tsvmONgDvF7Vd+aMvuV+Gjazbbmp:ViomZOUoWBV1MmV+Dbbmp
Score

1^/10
behavioral27 behavioral28
- Target
  
  sample/HelloSpaghetti.gm9
- Size
  
  2KB
- MD5
  
  e59b51c37f67c8288ad7c720bcb23739
- SHA1
  
  ad46538abe57c9d286da592c88af5b24c2e322fa
- SHA256
  
  45b2ae43f150bc8d78cd1ea8ccab58ab35c1b4055b769558edbb769a38bf7d5f
- SHA512
  
  f1af150c490f19534c668b00efa2987a0e3eaacde04ba481502adb5997e6793c5ec28bc94deb30a6dd33cdbecda108447656652a3fd234190d330c1d1673d318
Score

1^/10
behavioral29 behavioral30

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Tasks

Sharing

General

Malware Config

Targets

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Registers COM server for autorun

Checks installed software on the system

Checks whether UAC is enabled

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Sets desktop wallpaper using registry

Disables Task Manager via registry modification

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30