Resubmissions
30-04-2023 20:16
230430-y169psah37 730-04-2023 20:09
230430-yxckxsah25 1030-04-2023 20:03
230430-ys13qaag96 730-04-2023 19:55
230430-ym5hyscf3w 7Analysis
-
max time kernel
146s -
max time network
176s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
30-04-2023 20:09
General
-
Target
ChatGPT (Bot).zip
-
Size
7.1MB
-
MD5
d2f022536243004be4a21092f99b8d0f
-
SHA1
856b042c9fdf1604679be190acb1c2068cb52730
-
SHA256
c1fe20b075cd91dbe6454422825af7b98d5e4914c00f81612c18a5be7f8cd509
-
SHA512
076e79b7521467a3e204d5cf820f6a312bf9eb8d581b0d0c6a6d96235c9f8284fed92d8b3a546fa6b0603743d5b90f64f6b596e13b2b44efc63930e09e3e5852
-
SSDEEP
98304:3unHAbqD9nF3jbQD3l6rMgXneBMYFzxVyOax5Zg2ILh7shAUA:3unHAuD9ljzG3xAZ/TkshAUA
Malware Config
Extracted
vidar
3.6
71cdfc44f141586243159aa45037497d
https://steamcommunity.com/profiles/76561199499188534
https://t.me/nutalse
-
profile_id_v2
71cdfc44f141586243159aa45037497d
-
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Extracted
laplas
http://45.159.189.105
-
api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 48 IoCs
-
Suspicious use of SendNotifyMessage 47 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\ChatGPT (Bot).zip"1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ActiveReign\requirements.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Desktop\ChatGPT (Bot).exe"C:\Users\Admin\Desktop\ChatGPT (Bot).exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\38808872664776435797.exe"C:\ProgramData\38808872664776435797.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.3MB
MD56929d9467cfa331fe33a18ebb69fc501
SHA1245e282445efa25ecf3cc567d1a40462f4237b7a
SHA2563ff364651520a6625602cb721499d4398a7aad5c3b8142e8b1d11d38cf35351b
SHA512cf65f2aa902ce9456e2bfcfd4f7cd3d41602e81f7b73b56c220adf8ec973aaf2bf8c1610ca2d8acaa35aaa1a04f056a7e5a5e210665b2b39be561e89bf034513
-
Filesize
3.3MB
MD56929d9467cfa331fe33a18ebb69fc501
SHA1245e282445efa25ecf3cc567d1a40462f4237b7a
SHA2563ff364651520a6625602cb721499d4398a7aad5c3b8142e8b1d11d38cf35351b
SHA512cf65f2aa902ce9456e2bfcfd4f7cd3d41602e81f7b73b56c220adf8ec973aaf2bf8c1610ca2d8acaa35aaa1a04f056a7e5a5e210665b2b39be561e89bf034513
-
Filesize
3.3MB
MD56929d9467cfa331fe33a18ebb69fc501
SHA1245e282445efa25ecf3cc567d1a40462f4237b7a
SHA2563ff364651520a6625602cb721499d4398a7aad5c3b8142e8b1d11d38cf35351b
SHA512cf65f2aa902ce9456e2bfcfd4f7cd3d41602e81f7b73b56c220adf8ec973aaf2bf8c1610ca2d8acaa35aaa1a04f056a7e5a5e210665b2b39be561e89bf034513
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
717.7MB
MD5fe950549272a1632212146060ce829b4
SHA1ba33f41b8ffe4c73f06a69c502a0fa2acab218a1
SHA2566cb3b293900ed5b17d7a7b15d55d66567a4593ca4f9053db868d7c27133e4a8c
SHA512adeea13a764a6bcc0fe6337ddc6507ebef21cb55f2db59a07ae29141964860baaf433ed03938b565aeef095a1d05b2dff01bc405bf4997db77cf59f749414f98
-
Filesize
541.1MB
MD5a6dd845ed6de73b82d19c008c9b1de5b
SHA1de852d7e5eed06404906175bceeb28c454a725a5
SHA256520a469c3c7c827ff2ca8145d067c8e1839820691a5a98e293267581926c66d9
SHA51253fc69d4cdb300a3c3d5c9738e7a5d44a0f9b2bf6633110845476cd29507454d87a72630922bcd92f4b5c08d739b734016e7deed7cc845d35a8049d20c66bb33
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
4.9MB
-
Filesize
4.9MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
472KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
9.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
972KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB
-
Filesize
564KB