Overview

overview

10

Static

static

3

Epicgamesx64 (2).exe

windows7-x64

10

Epicgamesx64 (2).exe

windows10-2004-x64

9

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Epicgamesx64.exe

windows7-x64

10

Epicgamesx64.exe

windows10-2004-x64

10

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/...dex.js

windows7-x64

1

resources/...dex.js

windows10-2004-x64

1

resources/....2.bat

windows7-x64

7

resources/....2.bat

windows10-2004-x64

7

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Epicgamesx64 (2).exe

  • Size

    69.3MB

  • Sample

    240426-zlrq5scg6t

  • MD5

    3e5fa4d3252ed7fd70f72cd59f69bba4

  • SHA1

    aa742028d230ddb7d5a1d965747a2d4d1f766fd0

  • SHA256

    a2d4c19d2a8c9a6a196ebcf1f49a6eed03b06b76880d772fa8c0ab72aec59763

  • SHA512

    f2636dc8c2603ad7be2b47f11f424c33a6742bbff4948871c2d539f27444aa9399a78b4303fbe7f8e8863f203a945e0055867511b0facf0a4335e5a7e1876adf

  • SSDEEP

    1572864:FGAEBBh+EzidEe2HlekLnk8M3zjztNfsRdaYO9uYMR:4AEnh4J2i7sjaF9ulR

Score
10/10
epsilonevasionpersistencespywarestealer

Malware Config

Targets

    • Target

      Epicgamesx64 (2).exe

    • Size

      69.3MB

    • MD5

      3e5fa4d3252ed7fd70f72cd59f69bba4

    • SHA1

      aa742028d230ddb7d5a1d965747a2d4d1f766fd0

    • SHA256

      a2d4c19d2a8c9a6a196ebcf1f49a6eed03b06b76880d772fa8c0ab72aec59763

    • SHA512

      f2636dc8c2603ad7be2b47f11f424c33a6742bbff4948871c2d539f27444aa9399a78b4303fbe7f8e8863f203a945e0055867511b0facf0a4335e5a7e1876adf

    • SSDEEP

      1572864:FGAEBBh+EzidEe2HlekLnk8M3zjztNfsRdaYO9uYMR:4AEnh4J2i7sjaF9ulR

    Score
    10/10
    epsilonevasionpersistencespywarestealer

    • Epsilon Stealer

      Information stealer.

      stealerepsilon

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    behavioral5behavioral6

    • Target

      Epicgamesx64.exe

    • Size

      142.3MB

    • MD5

      badecedc29fd0b44aec2b4a479c5762e

    • SHA1

      4eac9ca9ee0b52cbfbbfc1dfe2d300238e66c126

    • SHA256

      0f0bbe02ac5ba7fb768634e36ad7fdb4fad18942b1811341bcb7538f675ca9af

    • SHA512

      a8fef6930a3b2949b5b96a5fb1ffd4bce1202d51cd6f67e23e4bd9b14acd29f3b1b6c4190bd8d884f520c58b77bfea8296066e3c1516a7c11c7c6ce4d4d64e53

    • SSDEEP

      1572864:Bx8e2z2aMcuE5p9vzLECsyP2d+J/AG8TQX60:3Labp9rY/W6

    Score
    10/10
    epsilonevasionpersistencespywarestealer

    • Epsilon Stealer

      Information stealer.

      stealerepsilon

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral7behavioral8

    • Target

      LICENSES.chromium.html

    • Size

      5.1MB

    • MD5

      f0882b4f2a11c1f0c524388c3307aad7

    • SHA1

      c8952b4076167de1374d0c1f62b1fde8fe69f4ae

    • SHA256

      1b8b8e268755376e95aaddd0a6881f6f4a4b96787af1b2db158e51958410da5f

    • SHA512

      1e5cd07637e213d3f77f8a6204b5bb9a6e16c343790dda4ed677b081e8600de912165bb3436dacf56ea2e5145e888f5964deda4ee4b7dd3516ae2cab42e2fa0f

    • SSDEEP

      12288:FetnJnVncnJnkncnpWQtnwn7n9nJnCnZnGn3eQSnqnBnununFn/nwnJnqnvnOnqP:nPDt5WXWSNkbfwVR8mfjF4HyCohp1

    Score
    1/10
    behavioral10behavioral9

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      cb9807f6cf55ad799e920b7e0f97df99

    • SHA1

      bb76012ded5acd103adad49436612d073d159b29

    • SHA256

      5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

    • SHA512

      f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

    • SSDEEP

      49152:IuhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8cc:oy904wYbZCoOI85oyI

    Score
    1/10
    behavioral11

    • Target

      ffmpeg.dll

    • Size

      2.7MB

    • MD5

      f459ce9af5091bc1e450eb753f6eb0b7

    • SHA1

      9df32de240dfaa780640361b1d0ca978a611fa27

    • SHA256

      e7714a1d6ac3f4c4ae22564b9ca301e486f5f42691859c0a687246c47b5cf5c9

    • SHA512

      7d626e5a94af43c8c0cca4bf0dc2e4fa61e147f1360f19ed8922a1dac4c5df642bca435f84baf05b38255edd2b72de79c07f97f1f7ec79b7c04e336c454ba63b

    • SSDEEP

      49152:7qLAtO2mAixsA2vE/nOootJhW8L32xfnok0TvMzEKJ7UWyTIQVRU5GkJtdj02b3M:/tnqOoowS32xf90m71yTIQVRU5GkJOlp

    Score
    1/10
    behavioral12behavioral13

    • Target

      libEGL.dll

    • Size

      460KB

    • MD5

      5de7e395632af0d31d8165ee5e5267dd

    • SHA1

      740ae64850e72e5ab3d49e3bbc785399a30a933e

    • SHA256

      44febbc02e69d492d39e2cd5d025bbf0d81b1889b37725bd700cc0c21e5ba22a

    • SHA512

      788c3fa6d58b8d3ae258628805ed79d612d9e15e92dca39c27cb621a2a9aa42669a20c11b5c9a912a2d8cd68b0a7a53f7689e729067c6d87a8063e5b8b2c265d

    • SSDEEP

      6144:3KEcTs/jvtGCIvT/BIy/71C6h7i6DPgwlXwuxkC8wmij8hLeC+:3KEcTs/jvtGCIb/BI/CLPzxk7wmij0

    Score
    1/10
    behavioral14behavioral15

    • Target

      libGLESv2.dll

    • Size

      6.8MB

    • MD5

      f96fc251bae55a5fc0f1ddaed8706015

    • SHA1

      532c2b51f5e3256777ae3b9f40c8067b20eee0a2

    • SHA256

      7897eb2441975523e3e78dbeabf2d9deba66534c69b6cefbf87ea638ee641ea6

    • SHA512

      cf2f9f126204596e37bbe5517500a738ad06f306cb49e7a36bc050e38a61191a767e5d3fecd570410f08d67b64e77019101b2970867e8f0d41b35a6526d3d280

    • SSDEEP

      49152:BVjYuYQiOJYXEPdX++aEVQwXW0LXoJihD9BV1W6X+AIt8k9C3NRKRzDGYCvktcKx:fd++tVQeWQhUkkKIGLJWr/bm

    Score
    1/10
    behavioral16behavioral17

    • Target

      resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/index.js

    • Size

      3KB

    • MD5

      d226502c9bf2ae0a7f029bd7930be88e

    • SHA1

      6be773fb30c7693b338f7c911b253e4f430c2f9b

    • SHA256

      77a3965315946a325ddcf0709d927ba72aa47f889976cbccf567c76cc545159f

    • SHA512

      93f3d885dad1540b1f721894209cb7f164f0f6f92857d713438e0ce685fc5ee1fc94eb27296462cdeede49b30af8bf089a1fc2a34f8577479645d556aaac2f8e

    Score
    1/10
    behavioral18behavioral19

    • Target

      resources/app.asar.unpacked/node_modules/screenshot-desktop/lib/win32/screenCapture_1.3.2.bat

    • Size

      13KB

    • MD5

      da0f40d84d72ae3e9324ad9a040a2e58

    • SHA1

      4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

    • SHA256

      818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

    • SHA512

      30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

    • SSDEEP

      384:4cr8sEcBeIXxqXhQsBxf5oBLBfXQM8ybCpGW1KTM+:4KEcRQBTxWlPZxWpG+Qx

    Score
    7/10

    • Executes dropped EXE

    behavioral20behavioral21

    • Target

      resources/elevate.exe

    • Size

      105KB

    • MD5

      792b92c8ad13c46f27c7ced0810694df

    • SHA1

      d8d449b92de20a57df722df46435ba4553ecc802

    • SHA256

      9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

    • SHA512

      6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

    • SSDEEP

      3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l

    Score
    1/10
    behavioral22behavioral23

    • Target

      vk_swiftshader.dll

    • Size

      4.5MB

    • MD5

      11308456ed9d5a9ebfdbc0f86160e797

    • SHA1

      a56a42951a4365b0228bdac44a31cca6b789a60e

    • SHA256

      18436e3ffaa5ad29f0fa0daba05cfd99ad6ae2ccc7d6a5bff9d4decd97c0993e

    • SHA512

      062389e03d4480f51c2ff9538f98f8d14b14017393295e5599bef10171c5dce6a3bb6318baf2f5d3f03ec016541f7b657d4ab4e78bfb40c9016a62ff0fe5ff76

    • SSDEEP

      49152:bO6IzWGejMxLmo/FxJga4kIKvGtY48loR/ciu4skCDC88PF/VoQ28iasG+Stxf+P:S7/pEEkSUwsNE/d

    Score
    1/10
    behavioral24behavioral25

    • Target

      vulkan-1.dll

    • Size

      854KB

    • MD5

      acc5484ae9cfff351ffc0341fae483dc

    • SHA1

      616b6e2763a9e4ac5f1c959ebdc4d15b68ac0d7c

    • SHA256

      1c7fe50af9f2c7722274ee55c28bc1e786effbed15943909d8da8f3492275574

    • SHA512

      25a47e2e7947f358f993fee1bd564c4e5df8db1f72ba7fb376b5aed0e671fc024e1b9d47754a78cac90082a84debb0eaef772e91f8121a2d6f35a5df41cb8fe1

    • SSDEEP

      12288:xPcsZ/i18O9zheQQZ7bjnfjaimmVBmJUAI0/bf1IohgX6G6:xPcL19F0QCn5VBKQmSL

    Score
    1/10
    behavioral26behavioral27

    • Target

      $PLUGINSDIR/nsis7z.dll

    • Size

      424KB

    • MD5

      80e44ce4895304c6a3a831310fbf8cd0

    • SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

    • SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    • SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    • SSDEEP

      6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck

    Score
    3/10
    behavioral28behavioral29

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

epsilonevasionpersistencespywarestealer
Score
10/10

behavioral2

evasion
Score
9/10

behavioral3

Score
3/10

behavioral4

Score
3/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

epsilonevasionpersistencespywarestealer
Score
10/10

behavioral8

epsilonevasionpersistencespywarestealer
Score
10/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
7/10

behavioral21

Score
7/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
3/10

behavioral29

Score
3/10