Malware Analysis Report

2025-08-11 01:37

Sample ID 231206-2834ssgbbp
Target ShibaGTGoldBootstrapper.exe
SHA256 ba40f680d70bb6d8e9687c773586f01dd8c21a55e8a50f1c84dcbb0281aa0334
Tags
vmprotect
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ba40f680d70bb6d8e9687c773586f01dd8c21a55e8a50f1c84dcbb0281aa0334

Threat Level: Likely malicious

The file ShibaGTGoldBootstrapper.exe was found to be: Likely malicious.

Malicious Activity Summary

vmprotect

Downloads MZ/PE file

VMProtect packed file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-06 23:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-06 23:16

Reported

2023-12-06 23:18

Platform

win7-20231129-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 1700

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp

Files

memory/2924-0-0x0000000000C90000-0x0000000000CA8000-memory.dmp

memory/2924-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2924-2-0x0000000000480000-0x0000000000486000-memory.dmp

memory/2924-3-0x0000000000530000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar21D8.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2924-40-0x0000000074550000-0x0000000074C3E000-memory.dmp

memory/2924-41-0x0000000000530000-0x0000000000570000-memory.dmp

memory/2924-42-0x0000000074550000-0x0000000074C3E000-memory.dmp

C:\Users\Admin\Desktop\virus.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-06 23:16

Reported

2023-12-06 23:18

Platform

win10v2004-20231127-en

Max time kernel

152s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"

Signatures

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\goldloader.loader N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\ShibaGTGoldBootstrapper.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" cmd.exe /C "C:\Users\Admin\AppData\Local\Temp\goldloader.loader"

C:\Users\Admin\AppData\Local\Temp\goldloader.loader

C:\Users\Admin\AppData\Local\Temp\goldloader.loader

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 222.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 133.23.21.2.in-addr.arpa udp
US 8.8.8.8:53 219.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/4904-0-0x0000000000E90000-0x0000000000EA8000-memory.dmp

memory/4904-1-0x0000000074400000-0x0000000074BB0000-memory.dmp

memory/4904-2-0x0000000003200000-0x0000000003206000-memory.dmp

memory/4904-3-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/4904-4-0x0000000005730000-0x0000000005796000-memory.dmp

memory/4904-7-0x0000000074400000-0x0000000074BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\goldloader.loader

MD5 ea3d2c8a97e5878acaf00a086f66946d
SHA1 4e644466192523011cf950433ade99022c9c4d57
SHA256 1bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd
SHA512 1c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a

C:\Users\Admin\AppData\Local\Temp\goldloader.loader

MD5 ea3d2c8a97e5878acaf00a086f66946d
SHA1 4e644466192523011cf950433ade99022c9c4d57
SHA256 1bfda2ccbf00523606a2eba0668a173d27a41d57341798c281e62dc436e84fdd
SHA512 1c4e629e7ec6eff4b33a57c27a4ed0d73c5684b5b6cc0e6a9938aa9d7ea108aa9de8894ee0de7822d9acb6d53bf6058ca38d0f4ce3d13b8d309f622fc02ab24a