Malware Analysis Report

2025-06-15 21:43

Sample ID 230405-x4wfyaba91
Target RiotCracker_by_B60.zip
SHA256 b99206182eb58236a3a7de278803a6a7c1a5d331d62bcbfb9374bba9702db188
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b99206182eb58236a3a7de278803a6a7c1a5d331d62bcbfb9374bba9702db188

Threat Level: Shows suspicious behavior

The file RiotCracker_by_B60.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Obfuscated with Agile.Net obfuscator

Program crash

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-05 19:24

Signatures

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10-20230220-en

Max time kernel

144s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WThreads.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WThreads.dll,#1

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
NL 8.238.21.126:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10v2004-20230220-en

Max time kernel

90s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorful.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorful.Console.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 104.208.16.90:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10v2004-20230220-en

Max time kernel

85s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
IE 13.69.239.74:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
NL 8.238.178.126:80 tcp
NL 23.72.252.163:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10-20230220-en

Max time kernel

56s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe"

Network

Country Destination Domain Proto
GB 51.132.193.104:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp

Files

memory/2148-117-0x0000000000230000-0x000000000023A000-memory.dmp

memory/2148-118-0x0000000004AD0000-0x0000000004AEC000-memory.dmp

memory/2148-119-0x0000000004B90000-0x0000000004C22000-memory.dmp

memory/2148-120-0x0000000004B80000-0x0000000004B90000-memory.dmp

memory/2148-121-0x0000000004B80000-0x0000000004B90000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win7-20230220-en

Max time kernel

28s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 580

Network

N/A

Files

memory/2024-54-0x0000000000B40000-0x0000000000B4A000-memory.dmp

memory/2024-55-0x0000000000430000-0x000000000044C000-memory.dmp

memory/2024-56-0x0000000000630000-0x0000000000670000-memory.dmp

memory/2024-57-0x0000000000630000-0x0000000000670000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10-20230220-en

Max time kernel

54s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 52.182.143.211:443 tcp
US 67.24.33.254:80 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10v2004-20230220-en

Max time kernel

77s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NL 173.223.113.164:443 tcp

Files

memory/3944-133-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

memory/3944-134-0x0000000005480000-0x000000000549C000-memory.dmp

memory/3944-135-0x0000000005540000-0x00000000055D2000-memory.dmp

memory/3944-136-0x0000000005520000-0x0000000005530000-memory.dmp

memory/3944-137-0x0000000005520000-0x0000000005530000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10-20230220-en

Max time kernel

55s

Max time network

60s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TrinitySeal.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TrinitySeal.dll,#1

Network

Country Destination Domain Proto
FR 51.11.192.49:443 tcp
NL 178.79.208.1:80 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TrinitySeal.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TrinitySeal.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 20.44.10.122:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WThreads.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WThreads.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WThreads.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\WThreads.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
FR 51.11.192.49:443 tcp
NL 8.238.21.126:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 8.238.22.254:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 93.184.220.29:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win10-20230220-en

Max time kernel

146s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorful.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorful.Console.dll,#1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe

"C:\Users\Admin\AppData\Local\Temp\Riot Cracker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 93.184.221.240:80 tcp

Files

memory/2988-121-0x0000000000170000-0x000000000017A000-memory.dmp

memory/2988-122-0x0000000000B20000-0x0000000000B3C000-memory.dmp

memory/2988-123-0x00000000049D0000-0x0000000004A62000-memory.dmp

memory/2988-124-0x0000000004B50000-0x0000000004B60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorful.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Colorful.Console.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-04-05 19:24

Reported

2023-04-05 19:27

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TrinitySeal.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\TrinitySeal.dll,#1

Network

N/A

Files

N/A