Extracted

• • Target

    BlitzedGrabberV12.rar

  • Size

    3.6MB

  • MD5

    4282ce784621bf22365f21260be70e5e

  • SHA1

    3e743738e2ec8cc35d64ebbad99abcfde46eafe3

  • SHA256

    06fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd

  • SHA512

    aa776cfdc39c152814a7e0e6def451454ca30fc4388dec48f3d12b1e50a0ee3925bfd2333700919b52af725cfe7ece93146ba24a9c0d2a6c0d602f7b243b77ec

  • SSDEEP

    98304:8IAP4hcx7zUBj8tz3b/MTraRaUTAdGW3bkzjuYAV2du1hH+QJ:MqcxzKQlL/FvA0ckz542d3QJ

  Score

  10^/10

  orcusstormkittyagilenetexecutionpersistenceratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus main payload

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Orcurs Rat Executable

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2

• • Target

    BlitzedGrabberV12/BlitzedGrabberV12.exe

  • Size

    926.0MB

  • MD5

    930b3bbbaa989db448d8ec5c696a5a16

  • SHA1

    a27e7c76990a31f1414d429e828c81e14f48a00a

  • SHA256

    eacf04d721fe4880dc73790ccbd58acf310dc0c90b13b7424200a9aa2b94640a

  • SHA512

    cb9dc7db9f4a4c0dc5407d0a9bbd5c1301d5c4d03fed7d6b972c61a816c8860aff072f1515189d21b3336448a7c19d99f636cc3b060e4628c2ef7dbd1e75291a

  • SSDEEP

    49152:KUAHP06/eyShf+okdWtRAOk3HQ7JTDCgV4L6uzxGiWaUKU:WmBf2dWtnGcDnMjFWxK

  Score

  10^/10

  orcusagilenetexecutionpersistenceratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus main payload

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Obfuscated with Agile.Net obfuscator

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet

  • Adds Run key to start application

    persistence

  • Drops desktop.ini file(s)

  • Drops file in System32 directory

  behavioral3behavioral4

• • Target

    BlitzedGrabberV12/README.txt

  • Size

    1KB

  • MD5

    110a464be52a150056f184348f09a6c6

  • SHA1

    c7516032dbae3d9e3c0342da0bd690318b93be6f

  • SHA256

    97b778580fd7487beb8062a777a654b718a3b16622d8bcf46594ac9048dd3e6a

  • SHA512

    04c97df944b110f6c481f2b06b406d7ba5b2b3a6176a2527ae8b9820d925a341fd106e20dd3694353effa4f623c8eeb3f858de478ebc13fa6c68d6ab04db85cf

  Score

  1^/10
  behavioral5behavioral6

• • Target

    BlitzedGrabberV12/Resources/APIFOR.DLL

  • Size

    13KB

  • MD5

    91b4d211faddb0ebc64fb000d75d96c1

  • SHA1

    ba496c122f8e562ff0a4fb272a68f0b9e7bf0a3c

  • SHA256

    e47ab6fb21bd8943f63d79387533abac0c2bd98245546df44c4f333d8013c4de

  • SHA512

    3f16b0b4618d446d0e42ed2063c611b4ffa72a5b0ff438df5286a216167881737e65d494aa12186e511690eaca2f51c00889c9eae5ab6392c1edf885e5592919

  • SSDEEP

    192:NVjzYtxJYPX7OdfdnHpZt8kit/2Y3ciPYEC3qHa:NVgbkXK5NHpZikit/NYE4qHa

  Score

  1^/10
  behavioral7behavioral8

• • Target

    BlitzedGrabberV12/Resources/BouncyCastle.Crypto.dll

  • Size

    2.5MB

  • MD5

    3551343fab213740bbb022e3a6dcf27b

  • SHA1

    de67fb4f9d58db4a860a703c8d1f54ff00ff9b1f

  • SHA256

    5530dff976bc0c889076b97ca695bdb97ef07f63449d32f893ed32398ed8bfe6

  • SHA512

    e90f51053e1d4b0ea1f7458229de92174abf0781c766290da4de5cc8dfcfb730998252bf28b36ca5070978fdcea8b97f0aea6a47b875dd34173643ac0cb46c42

  • SSDEEP

    49152:3CTzhVM0AU5d3UOhq8hmReOUJfd5T3D+VTQlgQeCKbu9kQLO0:GwU5d3vhzhmoOmfd5rqX0

  Score

  1^/10
  behavioral10behavioral9

• • Target

    BlitzedGrabberV12/Resources/Newtonsoft.Json.dll

  • Size

    492KB

  • MD5

    5e02ddaf3b02e43e532fc6a52b04d14b

  • SHA1

    67f0bd5cfa3824860626b6b3fff37dc89e305cec

  • SHA256

    78bedd9fce877a71a8d8ff9a813662d8248361e46705c4ef7afc61d440ff2eeb

  • SHA512

    38720cacbb169dfc448deef86af973eafefa19eaeb48c55c58091c9d6a8b12a1f90148c287faaaa01326ec47143969ad1b54ee2b81018e1de0b83350dc418d1c

  • SSDEEP

    12288:axrplPT3qwNBC3wl1zVh0Yg0pJy/qleTpfZLQ0so/VHjh:a1plPGwNBC3UOwVeLQ0so/VH

  Score

  1^/10
  behavioral11behavioral12

• • Target

    BlitzedGrabberV12/Resources/UltraEmbeddable.exe

  • Size

    465KB

  • MD5

    b6b77d0798d39d7fadd69784c4e47c30

  • SHA1

    967af699bd9e0f2f20b0743323e5cdd6c3767ea2

  • SHA256

    e5c9880090d757207a5cd373f5e1d20c42d7486c742b3a30a2ee741a7aef5ef8

  • SHA512

    5140dcebbeb53c8e74364de824d78d6c5fddcfa08f0ac38ff0d898e71bf4f8630f3b529571a7f64be00981e83af7f85a9b6665aedfaf7f0720995fae8a8e28d6

  • SSDEEP

    12288:MXUNgkAIMflOWTUpGY5ObqRKd6G2nHVxxd/2KO:QUNdJMNOWTUQveYd6fHnxsKO

  Score

  3^/10
  behavioral13behavioral14

• • Target

    BlitzedGrabberV12/Resources/ww.exe

  • Size

    59KB

  • MD5

    21d2cd5e50a4fea2868725cbf2bd43dd

  • SHA1

    2eede1b89427f9cf5b9c144f9ab2cac79439e029

  • SHA256

    809236959232884def77d8da2aa283a8ad4c77824932cd06a4188a21a6581bc3

  • SHA512

    1eacde6ef8c47fe8f6b1d6b8479453fbddd4531fb4dc3bec83eaaa261b5ae3ed963c6d862b4e92862aefa4bc069c5a190390df6edfdfded69e0778651c1bfca8

  • SSDEEP

    768:bv8q4lFep7sfOCROyzDxEQK76Yt5Qb7jTIajt9K0fZOv11yL6N9gE5WHpGV:Dt4lffROyzECZ41yLg9gEgJS

  Score

  10^/10

  stormkittyspywarestealer

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral15behavioral16

• • Target

    BlitzedGrabberV12/Resources/yhyty5.exe

  • Size

    59KB

  • MD5

    9b1283f4b90fa0009ea6fda13596a584

  • SHA1

    1daa7ccfddc6da823c2fadb7b821a9e26efebabe

  • SHA256

    4e3ff2595fc8b32fb44856e856b6d91600fd6a66ab556bc2437a926bf7c8fdb0

  • SHA512

    ca6d46254da5c16f80a3ee4a5d11b7203a025082e8268ba8ff343a6b705262e03c8c149e381ec038b364ebecb8a5ab4169e6e5fb3676d90abe37aecf468d1ecb

  • SSDEEP

    768:uvlq4ltFkHOCROyDZSCY6LaIdB4b2iuAPGdX3oI0fZOv11cEL6N9Q5WEpGl:I84l4XROyDL3AEo41BLg9Qg6y

  Score

  10^/10

  stormkittyspywarestealer

  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty

  • StormKitty payload

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Legitimate hosting services abused for malware hosting/C2

  behavioral17behavioral18