Resubmissions
12-04-2024 13:18
240412-qj2nwsdg6z 1012-04-2024 13:18
240412-qj13csdg6y 1012-04-2024 13:18
240412-qj1rladg6x 1012-04-2024 13:18
240412-qjz53aag26 1012-04-2024 13:18
240412-qjzvasag25 1009-04-2024 03:59
240409-ekaq1sea34 1009-04-2024 03:58
240409-ej1aaadh98 1009-04-2024 03:58
240409-ejnw9adh85 1009-04-2024 03:55
240409-eg8tmshd41 1017-02-2024 23:58
240217-31gfhacd52 10General
-
Target
stub_tor.exe
-
Size
7.8MB
-
Sample
240412-qj1rladg6x
-
MD5
c76390d9e1052d9e708940d67b5c135d
-
SHA1
a370a73a9dd746584428e8a939288ecffd3c80f7
-
SHA256
caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f
-
SHA512
4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b
-
SSDEEP
196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E
Behavioral task
behavioral1
Sample
stub_tor.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
stub_tor.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
stub_tor.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral4
Sample
stub_tor.exe
Resource
win11-20240221-en
Malware Config
Extracted
bitrat
1.38
7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion:440
-
communication_password
4124bc0a9335c27f086f24ba207a4912
-
install_dir
Minecraft
-
install_file
Runtime_Broker
-
tor_process
tor
Targets
-
-
Target
stub_tor.exe
-
Size
7.8MB
-
MD5
c76390d9e1052d9e708940d67b5c135d
-
SHA1
a370a73a9dd746584428e8a939288ecffd3c80f7
-
SHA256
caf48b67e7bb94a178426fc7ce6b9ed50ffb2f3813a7c68900f21bfffb24e44f
-
SHA512
4d2d38d8719cdac8a406cfa96944ee99d2d926511e64d6b6aa964d40d0d9ddb1dc6e4e6253bcb1e77b32613c0b4409ab32ea54c476018fee963574edb043dd3b
-
SSDEEP
196608:oIRcbH4jSteTGvExwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQkDxtw3iFFrS6XOf:odHsfuExwZ6v1CPwDv3uFteg2EeJUO9E
Score10/10-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-