Overview

overview

10

Static

static

1

SpyHunter-...er.exe

windows10-2004-x64

10

Resubmissions

27-08-2023 06:21

230827-g4ev7ahg6z 10

27-08-2023 05:29

230827-f6wfaahf7w 8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SpyHunter-5.15-6-5285-Installer.exe

  • Size

    6.8MB

  • Sample

    230827-g4ev7ahg6z

  • MD5

    07386184c9f3ab2b533c73c854398805

  • SHA1

    ed43d9745c5f8f91cf90003647ca983d7e0b037e

  • SHA256

    87996cc12b3919fb370a67e45b037e0b75f1de66df8afcca060f0ac8e3464910

  • SHA512

    c4c6caf978e93161c71e1b5391d210210fe35e640ea4bacc1dd3ecc812c71ad0b06fd2d45a2155a35f84803d17114e909b95df18407a9959167d07c7667afad6

  • SSDEEP

    98304:S5lVuh2IHJm4PO1FFGlapRGR+Tj9GsYz40ng7ifP8roXtRCvrUEr7MkHkcZCDbhd:SPI1kt5TAWifPXtwUEX8D9H9

Score
10/10
auroradcratfabookiehealerredlinenravaaspackv2dropperevasioninfostealerpersistenceratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

redline

Botnet

nrava

C2

77.91.124.82:19071

Attributes
  • auth_value

    43fe50e9ee6afb85588e03ac9676e2f7

Extracted

Family

aurora

C2

217.195.155.154:8081

Targets

    • Target

      SpyHunter-5.15-6-5285-Installer.exe

    • Size

      6.8MB

    • MD5

      07386184c9f3ab2b533c73c854398805

    • SHA1

      ed43d9745c5f8f91cf90003647ca983d7e0b037e

    • SHA256

      87996cc12b3919fb370a67e45b037e0b75f1de66df8afcca060f0ac8e3464910

    • SHA512

      c4c6caf978e93161c71e1b5391d210210fe35e640ea4bacc1dd3ecc812c71ad0b06fd2d45a2155a35f84803d17114e909b95df18407a9959167d07c7667afad6

    • SSDEEP

      98304:S5lVuh2IHJm4PO1FFGlapRGR+Tj9GsYz40ng7ifP8roXtRCvrUEr7MkHkcZCDbhd:SPI1kt5TAWifPXtwUEX8D9H9

    Score
    10/10
    auroradcratfabookiehealerredlinenravaaspackv2dropperevasioninfostealerpersistenceratspywarestealertrojanupxvmprotect

    • Aurora

      Aurora is a crypto wallet stealer written in Golang.

      stealeraurora

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Fabookie payload

    • Detects Healer an antivirus disabler dropper

    • Fabookie

      Fabookie is facebook account info stealer.

      spywarestealerfabookie

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Creates new service(s)

      persistence

    • Drops file in Drivers directory

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks