growtopia | fa27a3c569f5a56329af800f665eb1db353fb39c93c94446b617936f6cfd5fec

General

Target

70ceb0c11838add0cfccb2efcdc8f62b.exe
Size

5.4MB
MD5

70ceb0c11838add0cfccb2efcdc8f62b
SHA1

6522e16406c85f47ead1c77315a538ee3b6294bf
SHA256

fa27a3c569f5a56329af800f665eb1db353fb39c93c94446b617936f6cfd5fec
SHA512

e82458c1ae70acd3c618b608e65d0332947a132e46e7f4f972204ab6718fc25ef9986f17669259cccf44006ce5f53f4cc543d01e9abb4ced1de6d3e0cbce9447
SSDEEP

98304:FTX6fzwPIlCtCmZukBTrnFuaUz823LFnGk35zieIOWooX/HH9TcHk/8t3:94zwPIZBUrnFhUz823JnGk35FO9X/Hdf

Score

10^/10

growtopia stealer vmprotect

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

GenReg.exe

pid process

4744 GenReg.exe

pid	process
4744	GenReg.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1700-1-0x0000000000C20000-0x00000000014CC000-memory.dmp	vmprotect
behavioral2/memory/1700-3-0x0000000000C20000-0x00000000014CC000-memory.dmp	vmprotect
behavioral2/memory/1700-17-0x0000000000C20000-0x00000000014CC000-memory.dmp	vmprotect
behavioral2/memory/1700-82-0x0000000000C20000-0x00000000014CC000-memory.dmp	vmprotect

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 icanhazip.com
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

70ceb0c11838add0cfccb2efcdc8f62b.exepowershell.exe

pid process

1700 70ceb0c11838add0cfccb2efcdc8f62b.exe
1700 70ceb0c11838add0cfccb2efcdc8f62b.exe
5024 powershell.exe
5024 powershell.exe
5024 powershell.exe

flow	ioc
18	icanhazip.com

pid	process
1700	70ceb0c11838add0cfccb2efcdc8f62b.exe
1700	70ceb0c11838add0cfccb2efcdc8f62b.exe
5024	powershell.exe
5024	powershell.exe
5024	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeIncreaseQuotaPrivilege	5024	powershell.exe
Token: SeSecurityPrivilege	5024	powershell.exe
Token: SeTakeOwnershipPrivilege	5024	powershell.exe
Token: SeLoadDriverPrivilege	5024	powershell.exe
Token: SeSystemProfilePrivilege	5024	powershell.exe
Token: SeSystemtimePrivilege	5024	powershell.exe
Token: SeProfSingleProcessPrivilege	5024	powershell.exe
Token: SeIncBasePriorityPrivilege	5024	powershell.exe
Token: SeCreatePagefilePrivilege	5024	powershell.exe
Token: SeBackupPrivilege	5024	powershell.exe
Token: SeRestorePrivilege	5024	powershell.exe
Token: SeShutdownPrivilege	5024	powershell.exe
Token: SeDebugPrivilege	5024	powershell.exe
Token: SeSystemEnvironmentPrivilege	5024	powershell.exe
Token: SeRemoteShutdownPrivilege	5024	powershell.exe
Token: SeUndockPrivilege	5024	powershell.exe
Token: SeManageVolumePrivilege	5024	powershell.exe
Token: 33	5024	powershell.exe
Token: 34	5024	powershell.exe
Token: 35	5024	powershell.exe
Token: 36	5024	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

70ceb0c11838add0cfccb2efcdc8f62b.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 2604	1700	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 1700 wrote to memory of 2604	1700	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 1700 wrote to memory of 2604	1700	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 2604 wrote to memory of 5024	2604	cmd.exe	powershell.exe
PID 2604 wrote to memory of 5024	2604	cmd.exe	powershell.exe
PID 2604 wrote to memory of 5024	2604	cmd.exe	powershell.exe
PID 1700 wrote to memory of 4852	1700	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 1700 wrote to memory of 4852	1700	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 1700 wrote to memory of 4852	1700	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\70ceb0c11838add0cfccb2efcdc8f62b.exe
"C:\Users\Admin\AppData\Local\Temp\70ceb0c11838add0cfccb2efcdc8f62b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell get-NetAdapter
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]
  2⤵
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\GenReg.exe
    C:\Users\Admin\AppData\Local\Temp\GenReg.exe [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]
    3⤵
    - Executes dropped EXE
    PID:4744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AAP-Bypass.reg

Filesize
394B

MD5
9132aab777ea6930e096fd97c0af57f5

SHA1
d759bcb078a2714403d00b37acc8281e37b9e06b

SHA256
173fde26a70f1aac08dd3adc7b790ecf90de7a83d29aecab15ea7a62e5a4edf5

SHA512
da47d6d078b07874340c5d0eaab4d184b7a476a2e924f5322a9994740e827b3a2c67f84a8094db8a6a70f8815795926800735401de8fff49bd8e8dade349546e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GenReg.exe

Filesize
9KB

MD5
511b735aafc5cfcfd307b350b6099c32

SHA1
68e0c6c6c504a45ad491150017fbfcc1e1c4f91d

SHA256
51c145f8bcc871263f1ceb7a85ed43915aae7b79aa175817c5d8c6edfb712ace

SHA512
af347e6623849c452663066a919db1d98aa28b4f4f7149a2b1209e02d56b9e79658cbb02416dd0a0bce40c622308f8244457c1056fa8c4d06f189800867bf1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.bat

Filesize
42B

MD5
56120ea7d97e691243935b98d32f4b65

SHA1
f89f6249a946882410de06765ec07e11f2608177

SHA256
1d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67

SHA512
4cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.zb

Filesize
369B

MD5
61864cd5f1bcb9f607331863e07a57f1

SHA1
4e6ea82dfc278540c67c250e5948cd4484d0dac5

SHA256
220e6eff127fb9202b7be5777c51b825c9e1eca38de9287b3605937f6d30231c

SHA512
d37244153e17f66e6ee91b220d14a9b28ac41575e6229a16cf539c32f8b43c0073427951ec2c8df9f45eec9184e8afde1c7e8e6e039332aca33966231d6a6a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fydcg4b4.ty0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1700-17-0x0000000000C20000-0x00000000014CC000-memory.dmp

Filesize
8.7MB

Download
memory/1700-82-0x0000000000C20000-0x00000000014CC000-memory.dmp

Filesize
8.7MB

Download
memory/1700-0-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/1700-3-0x0000000000C20000-0x00000000014CC000-memory.dmp

Filesize
8.7MB

Download
memory/1700-1-0x0000000000C20000-0x00000000014CC000-memory.dmp

Filesize
8.7MB

Download
memory/4744-80-0x0000000073DE0000-0x0000000074590000-memory.dmp

Filesize
7.7MB

Download
memory/4744-79-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4744-76-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/4744-75-0x0000000073DE0000-0x0000000074590000-memory.dmp

Filesize
7.7MB

Download
memory/5024-43-0x000000007FB30000-0x000000007FB40000-memory.dmp

Filesize
64KB

Download
memory/5024-60-0x0000000007500000-0x000000000750A000-memory.dmp

Filesize
40KB

Download
memory/5024-42-0x0000000006230000-0x000000000627C000-memory.dmp

Filesize
304KB

Download
memory/5024-44-0x0000000007100000-0x0000000007132000-memory.dmp

Filesize
200KB

Download
memory/5024-40-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/5024-45-0x00000000706B0000-0x00000000706FC000-memory.dmp

Filesize
304KB

Download
memory/5024-47-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/5024-56-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/5024-57-0x0000000007140000-0x00000000071E3000-memory.dmp

Filesize
652KB

Download
memory/5024-58-0x0000000007AD0000-0x000000000814A000-memory.dmp

Filesize
6.5MB

Download
memory/5024-59-0x0000000007490000-0x00000000074AA000-memory.dmp

Filesize
104KB

Download
memory/5024-41-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/5024-61-0x0000000007710000-0x00000000077A6000-memory.dmp

Filesize
600KB

Download
memory/5024-62-0x0000000007690000-0x00000000076A1000-memory.dmp

Filesize
68KB

Download
memory/5024-63-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download
memory/5024-66-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download
memory/5024-30-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/5024-29-0x0000000005340000-0x00000000053A6000-memory.dmp

Filesize
408KB

Download
memory/5024-28-0x00000000051A0000-0x00000000051C2000-memory.dmp

Filesize
136KB

Download
memory/5024-27-0x00000000053C0000-0x00000000059E8000-memory.dmp

Filesize
6.2MB

Download
memory/5024-26-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/5024-25-0x0000000002830000-0x0000000002866000-memory.dmp

Filesize
216KB

Download
memory/5024-24-0x00000000029E0000-0x00000000029F0000-memory.dmp

Filesize
64KB

Download
memory/5024-23-0x0000000073DB0000-0x0000000074560000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads