growtopia | fa27a3c569f5a56329af800f665eb1db353fb39c93c94446b617936f6cfd5fec

General

Target

70ceb0c11838add0cfccb2efcdc8f62b.exe
Size

5.4MB
MD5

70ceb0c11838add0cfccb2efcdc8f62b
SHA1

6522e16406c85f47ead1c77315a538ee3b6294bf
SHA256

fa27a3c569f5a56329af800f665eb1db353fb39c93c94446b617936f6cfd5fec
SHA512

e82458c1ae70acd3c618b608e65d0332947a132e46e7f4f972204ab6718fc25ef9986f17669259cccf44006ce5f53f4cc543d01e9abb4ced1de6d3e0cbce9447
SSDEEP

98304:FTX6fzwPIlCtCmZukBTrnFuaUz823LFnGk35zieIOWooX/HH9TcHk/8t3:94zwPIZBUrnFhUz823JnGk35FO9X/Hdf

Score

10^/10

growtopia stealer vmprotect

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

GenReg.exe

pid process

4424 GenReg.exe

pid	process
4424	GenReg.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/956-0-0x00000000007D0000-0x000000000107C000-memory.dmp	vmprotect
behavioral2/memory/956-2-0x00000000007D0000-0x000000000107C000-memory.dmp	vmprotect
behavioral2/memory/956-41-0x00000000007D0000-0x000000000107C000-memory.dmp	vmprotect
behavioral2/memory/956-80-0x00000000007D0000-0x000000000107C000-memory.dmp	vmprotect

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 icanhazip.com
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

70ceb0c11838add0cfccb2efcdc8f62b.exepowershell.exe

pid process

956 70ceb0c11838add0cfccb2efcdc8f62b.exe
956 70ceb0c11838add0cfccb2efcdc8f62b.exe
2196 powershell.exe
2196 powershell.exe

flow	ioc
4	icanhazip.com

pid	process
956	70ceb0c11838add0cfccb2efcdc8f62b.exe
956	70ceb0c11838add0cfccb2efcdc8f62b.exe
2196	powershell.exe
2196	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

powershell.exe

description	pid	process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeIncreaseQuotaPrivilege	2196	powershell.exe
Token: SeSecurityPrivilege	2196	powershell.exe
Token: SeTakeOwnershipPrivilege	2196	powershell.exe
Token: SeLoadDriverPrivilege	2196	powershell.exe
Token: SeSystemProfilePrivilege	2196	powershell.exe
Token: SeSystemtimePrivilege	2196	powershell.exe
Token: SeProfSingleProcessPrivilege	2196	powershell.exe
Token: SeIncBasePriorityPrivilege	2196	powershell.exe
Token: SeCreatePagefilePrivilege	2196	powershell.exe
Token: SeBackupPrivilege	2196	powershell.exe
Token: SeRestorePrivilege	2196	powershell.exe
Token: SeShutdownPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeSystemEnvironmentPrivilege	2196	powershell.exe
Token: SeRemoteShutdownPrivilege	2196	powershell.exe
Token: SeUndockPrivilege	2196	powershell.exe
Token: SeManageVolumePrivilege	2196	powershell.exe
Token: 33	2196	powershell.exe
Token: 34	2196	powershell.exe
Token: 35	2196	powershell.exe
Token: 36	2196	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

70ceb0c11838add0cfccb2efcdc8f62b.execmd.execmd.exe

description	pid	process	target process
PID 956 wrote to memory of 408	956	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 956 wrote to memory of 408	956	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 956 wrote to memory of 408	956	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 408 wrote to memory of 2196	408	cmd.exe	powershell.exe
PID 408 wrote to memory of 2196	408	cmd.exe	powershell.exe
PID 408 wrote to memory of 2196	408	cmd.exe	powershell.exe
PID 956 wrote to memory of 3160	956	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 956 wrote to memory of 3160	956	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 956 wrote to memory of 3160	956	70ceb0c11838add0cfccb2efcdc8f62b.exe	cmd.exe
PID 3160 wrote to memory of 4424	3160	cmd.exe	GenReg.exe
PID 3160 wrote to memory of 4424	3160	cmd.exe	GenReg.exe
PID 3160 wrote to memory of 4424	3160	cmd.exe	GenReg.exe

C:\Users\Admin\AppData\Local\Temp\70ceb0c11838add0cfccb2efcdc8f62b.exe
"C:\Users\Admin\AppData\Local\Temp\70ceb0c11838add0cfccb2efcdc8f62b.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\MAC.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:408
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell get-NetAdapter
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\GenReg.exe" [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\GenReg.exe
    C:\Users\Admin\AppData\Local\Temp\GenReg.exe [29548]--[441325395]--[14774,14774c,14774w,14774wc]--[330994046,330994046c]
    3⤵
    - Executes dropped EXE
    PID:4424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AAP-Bypass.reg

Filesize
394B

MD5
174d2db97710a12a0e609d6c49e6c205

SHA1
e0c029a332448975f35976e4674b42b6d4446f61

SHA256
36af5822bd7ce1213ce8f71f679bc4aa1ccdc656b233e1464f8793eb5f00ed54

SHA512
caf31c55af5c9ae89966a28c81dd1db6d6316303101a44a60446f01618f694bae398038c9438b4a19ebe462064b93c6c93541417d573ceee4f791d90c2590cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\GenReg.exe

Filesize
9KB

MD5
511b735aafc5cfcfd307b350b6099c32

SHA1
68e0c6c6c504a45ad491150017fbfcc1e1c4f91d

SHA256
51c145f8bcc871263f1ceb7a85ed43915aae7b79aa175817c5d8c6edfb712ace

SHA512
af347e6623849c452663066a919db1d98aa28b4f4f7149a2b1209e02d56b9e79658cbb02416dd0a0bce40c622308f8244457c1056fa8c4d06f189800867bf1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.bat

Filesize
42B

MD5
56120ea7d97e691243935b98d32f4b65

SHA1
f89f6249a946882410de06765ec07e11f2608177

SHA256
1d6a29ec8b4f624b3246450c2a34ae1a8b3e35cdc7f3fa86a680e14169e01a67

SHA512
4cda70d6283fc48105a64c157c50fbe61bc5c77aa0f28e8c1176943cfdfa4345df77f09573d49ff896830cfc8315547a453a7bcbe68c00dd140b99ead94c8b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAC.zb

Filesize
369B

MD5
91a9f10509e9c9dd6bf9554a3a62c7d0

SHA1
fcdc119e505540967a81251a677c30e26b4936de

SHA256
632fcbb70748fba4d115b83e6e151511661b608057c34bcb07d4ffc2a85b30c6

SHA512
c3542f1b766274f30d4b0334659b024359e9803c94653d15009cece1b6eb48da6480bc7a8bead62ec026f12dccddd6deeb1f9fb6153933215adc7698ff592640

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3hduosjn.rzi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/956-1-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/956-2-0x00000000007D0000-0x000000000107C000-memory.dmp

Filesize
8.7MB

Download
memory/956-80-0x00000000007D0000-0x000000000107C000-memory.dmp

Filesize
8.7MB

Download
memory/956-0-0x00000000007D0000-0x000000000107C000-memory.dmp

Filesize
8.7MB

Download
memory/956-41-0x00000000007D0000-0x000000000107C000-memory.dmp

Filesize
8.7MB

Download
memory/2196-43-0x000000007F180000-0x000000007F190000-memory.dmp

Filesize
64KB

Download
memory/2196-57-0x00000000076D0000-0x00000000076EA000-memory.dmp

Filesize
104KB

Download
memory/2196-37-0x0000000005EE0000-0x0000000006234000-memory.dmp

Filesize
3.3MB

Download
memory/2196-38-0x00000000050C0000-0x00000000050DE000-memory.dmp

Filesize
120KB

Download
memory/2196-39-0x0000000006410000-0x000000000645C000-memory.dmp

Filesize
304KB

Download
memory/2196-26-0x0000000005D00000-0x0000000005D66000-memory.dmp

Filesize
408KB

Download
memory/2196-40-0x00000000069A0000-0x00000000069D2000-memory.dmp

Filesize
200KB

Download
memory/2196-42-0x0000000070630000-0x000000007067C000-memory.dmp

Filesize
304KB

Download
memory/2196-25-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/2196-53-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/2196-54-0x0000000006980000-0x000000000699E000-memory.dmp

Filesize
120KB

Download
memory/2196-55-0x0000000007590000-0x0000000007633000-memory.dmp

Filesize
652KB

Download
memory/2196-56-0x0000000007D10000-0x000000000838A000-memory.dmp

Filesize
6.5MB

Download
memory/2196-27-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/2196-58-0x0000000007730000-0x000000000773A000-memory.dmp

Filesize
40KB

Download
memory/2196-59-0x0000000007960000-0x00000000079F6000-memory.dmp

Filesize
600KB

Download
memory/2196-60-0x00000000078D0000-0x00000000078E1000-memory.dmp

Filesize
68KB

Download
memory/2196-63-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2196-24-0x0000000005660000-0x0000000005C88000-memory.dmp

Filesize
6.2MB

Download
memory/2196-23-0x0000000002A00000-0x0000000002A36000-memory.dmp

Filesize
216KB

Download
memory/2196-21-0x0000000073D30000-0x00000000744E0000-memory.dmp

Filesize
7.7MB

Download
memory/2196-22-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/4424-77-0x00000000053D0000-0x00000000053E0000-memory.dmp

Filesize
64KB

Download
memory/4424-78-0x0000000073D60000-0x0000000074510000-memory.dmp

Filesize
7.7MB

Download
memory/4424-74-0x0000000073D60000-0x0000000074510000-memory.dmp

Filesize
7.7MB

Download
memory/4424-73-0x00000000009C0000-0x00000000009C8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads