Overview

overview

10

Static

static

1

URLScan

urlscan

1

https://cheaterboss....

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    https://cheaterboss.com/synapse-x-cracked-download/

  • Sample

    230420-vgsenabb95

Score
10/10
eternityicarusstealerredlinesectopratxmrig0408clipperdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojanupxworm

Malware Config

Extracted

Family

redline

C2

62.204.41.141:24758

Attributes
  • auth_value

    ea069d64c780fc5379eeb0792909ac77

Extracted

Family

redline

Botnet

0408

C2

81.161.229.110:12767

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    http://81.161.229.110:8080/upload/svService.exe

    http://81.161.229.110:8080/upload/rgmlabor.exe,http://81.161.229.110:8080/upload/WindManager.exe,http://81.161.229.110:8080/upload/svcHost.exe

Extracted

Family

icarusstealer

Attributes
  • payload_url

    https://raw.githubusercontent.com/HiddenEyeZ/tg/main/rt.jpg

Targets

    • Target

      https://cheaterboss.com/synapse-x-cracked-download/

    Score
    10/10
    eternityicarusstealerredlinesectopratxmrig0408clipperdiscoveryevasioninfostealerminerpersistenceratspywarestealertrojanupxworm

    • Detects Eternity clipper

      clipper

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

      eternity

    • IcarusStealer

      Icarus is a modular stealer written in C# First adverts in July 2022.

      stealericarusstealer

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • XMRig Miner payload

      miner

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Contacts a large (519) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Modifies Installed Components in the registry

      persistence

    • Sets file execution options in registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Registers COM server for autorun

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks