growtopia | c28331ddbb9f519cfe6b6dbed4f947438e2a1aa5e09a583a44321152d9bdfe90

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28-12-2023 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f01ed61c293a838f8db9cd86e84eaeee.exe
Size

13KB
MD5

f01ed61c293a838f8db9cd86e84eaeee
SHA1

f052e9481b6613588474c90395cc7a3b9339f71c
SHA256

c28331ddbb9f519cfe6b6dbed4f947438e2a1aa5e09a583a44321152d9bdfe90
SHA512

a5273c7be22b73682e9ad02c8fc6eacd4a1161335bcba1b80ac470cece1270ab24c72a88529f449e48beba8fa6b1a2cb19f104ec291bc879f3ebede406309c18
SSDEEP

192:F63ft5sW0h0ExU+XP5aJf9lJMCl7M+J5068KcwuZ:mtKW/aP8Jf9/XJM8pu

Score

10^/10

growtopia stealer

Malware Config

Extracted

Family

growtopia

https://discord.com/api/webhooks/868185685511798824/n1UTeZkfBFoxLWBaV9dnLZ0QpTexYyhEZWPPeMAw8jxUZJ6gQkBUFF9Om3akpjQoXALi

Attributes

payload_url
https://cdn.discordapp.com/attachments/805061254648954893/845198803157123072/savedecrypter.exe

https://cdn.discordapp.com/attachments/831259039135563876/844989460450115584/Screenshot_2.png

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	icanhazip.com

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1960	2508	WerFault.exe	14

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	f01ed61c293a838f8db9cd86e84eaeee.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1960	2508	f01ed61c293a838f8db9cd86e84eaeee.exe	28
PID 2508 wrote to memory of 1960	2508	f01ed61c293a838f8db9cd86e84eaeee.exe	28
PID 2508 wrote to memory of 1960	2508	f01ed61c293a838f8db9cd86e84eaeee.exe	28
PID 2508 wrote to memory of 1960	2508	f01ed61c293a838f8db9cd86e84eaeee.exe	28

C:\Users\Admin\AppData\Local\Temp\f01ed61c293a838f8db9cd86e84eaeee.exe
"C:\Users\Admin\AppData\Local\Temp\f01ed61c293a838f8db9cd86e84eaeee.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1632
  2⤵
  - Program crash
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2508-0-0x0000000000210000-0x000000000021A000-memory.dmp

Filesize
40KB

Download
memory/2508-1-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-2-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download
memory/2508-37-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Filesize
6.9MB

Download
memory/2508-38-0x00000000049B0000-0x00000000049F0000-memory.dmp

Filesize
256KB

Download