growtopia | e4c2460165de097c187d1a646cfc513d32a9130a0e3fe40a359f82b54987bb23

Analysis

max time kernel
52s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f51b489073e0a0e9fff1a9d8f0e09185.exe
Size

5.4MB
MD5

f51b489073e0a0e9fff1a9d8f0e09185
SHA1

c8a2cf999334870c51ead8e366ce51ee916b6e3f
SHA256

e4c2460165de097c187d1a646cfc513d32a9130a0e3fe40a359f82b54987bb23
SHA512

c724d3245868a6a6a90ad0f169ba39857f192809ac0e0b7919ebd53ca7669080703571fd235e129130ddc157286534905dcb6ca7e951e7d8ce3347184eb89484
SSDEEP

98304:7aK90IOLFoFMy2Wt6E8jtpOEv9NdHkyLhiCyIgFfffHyBUMUbv5wOJERH:X9POJa2WD69Nay8Mg1ffS2/K4ER

Score

10^/10

growtopia stealer vmprotect

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/3224-1-0x00000000008E0000-0x0000000001190000-memory.dmp	vmprotect
behavioral2/memory/3224-3-0x00000000008E0000-0x0000000001190000-memory.dmp	vmprotect
behavioral2/memory/3224-7-0x00000000008E0000-0x0000000001190000-memory.dmp	vmprotect
behavioral2/memory/3224-83-0x00000000008E0000-0x0000000001190000-memory.dmp	vmprotect

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	icanhazip.com

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3224	f51b489073e0a0e9fff1a9d8f0e09185.exe
3224	f51b489073e0a0e9fff1a9d8f0e09185.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 1540	3224	f51b489073e0a0e9fff1a9d8f0e09185.exe	103
PID 3224 wrote to memory of 1540	3224	f51b489073e0a0e9fff1a9d8f0e09185.exe	103
PID 3224 wrote to memory of 1540	3224	f51b489073e0a0e9fff1a9d8f0e09185.exe	103

C:\Users\Admin\AppData\Local\Temp\f51b489073e0a0e9fff1a9d8f0e09185.exe
"C:\Users\Admin\AppData\Local\Temp\f51b489073e0a0e9fff1a9d8f0e09185.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell get-NetAdapter
    3⤵
    PID:4908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]
  2⤵
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\GenReg.exe
    C:\Users\Admin\AppData\Local\Temp\GenReg.exe [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]
    3⤵
    PID:3380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3224-1-0x00000000008E0000-0x0000000001190000-memory.dmp

Filesize
8.7MB

Download
memory/3224-3-0x00000000008E0000-0x0000000001190000-memory.dmp

Filesize
8.7MB

Download
memory/3224-0-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/3224-7-0x00000000008E0000-0x0000000001190000-memory.dmp

Filesize
8.7MB

Download
memory/3224-83-0x00000000008E0000-0x0000000001190000-memory.dmp

Filesize
8.7MB

Download
memory/3380-76-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/3380-77-0x00000000734D0000-0x0000000073C80000-memory.dmp

Filesize
7.7MB

Download
memory/3380-81-0x00000000734D0000-0x0000000073C80000-memory.dmp

Filesize
7.7MB

Download
memory/3380-80-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/4908-46-0x000000006FDA0000-0x000000006FDEC000-memory.dmp

Filesize
304KB

Download
memory/4908-44-0x00000000734A0000-0x0000000073C50000-memory.dmp

Filesize
7.7MB

Download
memory/4908-29-0x0000000006120000-0x0000000006186000-memory.dmp

Filesize
408KB

Download
memory/4908-40-0x0000000006300000-0x0000000006654000-memory.dmp

Filesize
3.3MB

Download
memory/4908-42-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/4908-41-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4908-43-0x00000000077F0000-0x0000000007822000-memory.dmp

Filesize
200KB

Download
memory/4908-28-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/4908-56-0x0000000006DC0000-0x0000000006DDE000-memory.dmp

Filesize
120KB

Download
memory/4908-57-0x0000000007830000-0x00000000078D3000-memory.dmp

Filesize
652KB

Download
memory/4908-45-0x000000007F4A0000-0x000000007F4B0000-memory.dmp

Filesize
64KB

Download
memory/4908-35-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/4908-58-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/4908-59-0x00000000081A0000-0x000000000881A000-memory.dmp

Filesize
6.5MB

Download
memory/4908-60-0x0000000007B50000-0x0000000007B6A000-memory.dmp

Filesize
104KB

Download
memory/4908-61-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

Filesize
40KB

Download
memory/4908-62-0x0000000007DE0000-0x0000000007E76000-memory.dmp

Filesize
600KB

Download
memory/4908-63-0x0000000006C30000-0x0000000006C41000-memory.dmp

Filesize
68KB

Download
memory/4908-66-0x00000000734A0000-0x0000000073C50000-memory.dmp

Filesize
7.7MB

Download
memory/4908-27-0x00000000058C0000-0x0000000005EE8000-memory.dmp

Filesize
6.2MB

Download
memory/4908-26-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/4908-24-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/4908-25-0x0000000005250000-0x0000000005286000-memory.dmp

Filesize
216KB

Download
memory/4908-23-0x00000000734A0000-0x0000000073C50000-memory.dmp

Filesize
7.7MB

Download