General

  • Target

    5759412d60274d5f413c54afe2f7c0ee

  • Size

    495KB

  • Sample

    240112-yhszcsedam

  • MD5

    5759412d60274d5f413c54afe2f7c0ee

  • SHA1

    f0b8ab6840034cdcbf3a8f72f40483dbf7dc7a0f

  • SHA256

    35e6db625e5143f7506e27153776623aa36e32bd8df2c8efabf053aa7aff3d1b

  • SHA512

    66af88344f2a7654efaa892e2ef923be4d21f5e2186bbf7ad7e03284d7d686927507c4165e5ec6d4f4dec3f6aac3c46a238243be2c75b935b8a1caecf68726f2

  • SSDEEP

    12288:qALeh1Besa9OaEVOfE/AcK5Tn/WA8fL4eaB:Z+asaX1E/G/Wt8v

Malware Config

Targets

    • Target

      Battlefield 3 Aimbot/FaceBotFixed.dll

    • Size

      225KB

    • MD5

      e3eb7a71e05d57bb30bc89c18afcf933

    • SHA1

      d423cd66d75910b2515cb7bbd0d9ed01ab04ab92

    • SHA256

      2453ed6ac4022afc8d000ba54c8ba69c48b5ceab4c43b56ad00c9867c5b5374a

    • SHA512

      f8f9baa1477b18c511ec06f8bc11b4e65f2871603cd574cecbe0bb7d40e14bc964fa927ef3fd3edd1a25e0a768ab35f1ca7c1785c44d949651064ca9f67a939e

    • SSDEEP

      6144:1I+GTKQHSdMKmTLKzol3HXT7JUZoiOt8:14TKQHSdMKmTLKS3XT7JUJ

    Score
    1/10
    • Target

      Battlefield 3 Aimbot/WinJect.exe

    • Size

      540KB

    • MD5

      6abce2783394bf829a97599d04a8def3

    • SHA1

      2a7864232650cf6528c903ec505e4fc1cc59517c

    • SHA256

      29ab5fe35a0f48c4683adf37e978abbfff23c0b2f8b416d58b18690ebf41a66a

    • SHA512

      8c07c4b105296747f6224f161b00250e5fa54c4f7b2ad33313b91f4116917064f4acc315f664688346d0272bc77953c338fe40d4ed6e0fd5e5ad507f12cdf7b4

    • SSDEEP

      6144:dHEUWvcNBG1R741QrIJvnjqHByUkz/urMkHug25ijoBFQi7f0u1WeJiXpH4raGpt:pFG1d4gIJLqcU9OgiioSOLKR4rFMgn

    • ISR Stealer

      ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

    • ISR Stealer payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks