Resubmissions

04-12-2023 19:06

231204-xsbmdsec7x 3

30-11-2023 22:42

231130-2mmvpacc79 10

General

  • Target

    Geneforge_4_v1_keymaker_by_ViKiNG.exe

  • Size

    3.4MB

  • Sample

    231130-2mmvpacc79

  • MD5

    8d5f03456bef80ecabf57fee9c49bfc5

  • SHA1

    afe5da8d259d648f6cb32eb81afe8a504804bc84

  • SHA256

    af21f2bb9d4f3933b65bfe469eeb5f0bbc50642375564eb471645d995f94e1f8

  • SHA512

    4049273bd945427a376455f90ce744daf8e1d79a66fdc6268e5c177de5f3d541a05a8301bc47cc360a8ede4e8ac11f7a2a8c47fc09c631f4799a39aaae0ade2d

  • SSDEEP

    98304:yUB2l3gv98UZhpBGedkDFK9l4FyK02ZS2WrkpbiZE:XB2yv9RhWGoFOl4bRZRWwZd

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://www.connectingkeralam.com/wp-content/uploads/debug2.ps1

Extracted

Family

azorult

C2

http://gigaload.info/1210776429.php

Extracted

Family

pony

C2

http://top.thisispw.com/keys7369921/gate.php

Targets

    • Target

      Geneforge_4_v1_keymaker_by_ViKiNG.exe

    • Size

      3.4MB

    • MD5

      8d5f03456bef80ecabf57fee9c49bfc5

    • SHA1

      afe5da8d259d648f6cb32eb81afe8a504804bc84

    • SHA256

      af21f2bb9d4f3933b65bfe469eeb5f0bbc50642375564eb471645d995f94e1f8

    • SHA512

      4049273bd945427a376455f90ce744daf8e1d79a66fdc6268e5c177de5f3d541a05a8301bc47cc360a8ede4e8ac11f7a2a8c47fc09c631f4799a39aaae0ade2d

    • SSDEEP

      98304:yUB2l3gv98UZhpBGedkDFK9l4FyK02ZS2WrkpbiZE:XB2yv9RhWGoFOl4bRZRWwZd

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

MITRE ATT&CK Enterprise v15

Tasks