General

  • Target

    sillyboost_cracked_v1.zip

  • Size

    40.4MB

  • Sample

    240522-27jc1acf78

  • MD5

    9999e496ea39c2cd016d4e893811c01d

  • SHA1

    f1de7c2e4767d764fe46e118581f2c6908ade992

  • SHA256

    5a0461545da96488d576540bc526e5c1a861d09f2c73f528e3191212d2f9f1b1

  • SHA512

    a13e5a3ab1dfd2857602fd7fa8ddfa5e404b644ec057bf2bebfd38ad27628ed6080cd39254df6da4af979c800bc46fc7a4f9b8949ec70962172e645d04c43c82

  • SSDEEP

    786432:djWwTiwq0JgcbRI3IqVCQVcZQ+iurECpdBekLw8WtYt3LFLI:dzTA0JgcbrqAQVD+NEWP7LLtRLI

Malware Config

Targets

    • Target

      sillyboost_cracked_v1.zip

    • Size

      40.4MB

    • MD5

      9999e496ea39c2cd016d4e893811c01d

    • SHA1

      f1de7c2e4767d764fe46e118581f2c6908ade992

    • SHA256

      5a0461545da96488d576540bc526e5c1a861d09f2c73f528e3191212d2f9f1b1

    • SHA512

      a13e5a3ab1dfd2857602fd7fa8ddfa5e404b644ec057bf2bebfd38ad27628ed6080cd39254df6da4af979c800bc46fc7a4f9b8949ec70962172e645d04c43c82

    • SSDEEP

      786432:djWwTiwq0JgcbRI3IqVCQVcZQ+iurECpdBekLw8WtYt3LFLI:dzTA0JgcbrqAQVD+NEWP7LLtRLI

    Score
    1/10
    • Target

      sillyboost_cracked_v1/config.json

    • Size

      252B

    • MD5

      49a9757626ec5e53193026e92d8de41d

    • SHA1

      88f0a32589186717d702cdd25e5645d5747e402b

    • SHA256

      f19a2ce2d7839fe6d9d44aa2648302e042d8ae75286c0216363340f20e631f8b

    • SHA512

      d477d8977eb7e114f61297ae8ab3132cd3f0ae46807b327b383396f2fa5d265e93ca38985831bb948a93f884768477f6ec653b7ce74e110c40bcc11f106d9c36

    Score
    3/10
    • Target

      sillyboost_cracked_v1/crack.dll

    • Size

      4.9MB

    • MD5

      d8131fd472e3f921dca592b6c0872c26

    • SHA1

      3be46fc189d169673e3f8779128b42f17be131d3

    • SHA256

      e923fb5d56d8f8f7bb2f0b11be779ca5d87164c536d9f8c0c24a89b52a372c06

    • SHA512

      9fa8978e2f6549b56cc077e8d857cbc5e106cb9da0cef976326110ce0f6dee11ca0fe72751e63d862e42cad80508a0747377e08b72cc4faaa9f614381ebdf6a9

    • SSDEEP

      98304:bd1z1vEYCYWcv4DoirkjuQM/OMc7/2QIqLAIOiqrr8HfdmjLdGGf:bdx1vMlDEXMc7MqcIOjH8O

    Score
    9/10
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

    • Target

      sillyboost_cracked_v1/loader.exe

    • Size

      5.3MB

    • MD5

      ed358d5c060320055e0a1bfce6b1e419

    • SHA1

      12853b07f03fa86e2d859475ff16243a8216c1c7

    • SHA256

      b7e0248552ac34bd73e2e6ac4f6b5edeb2ad27f094df41addd8e989c7256bc18

    • SHA512

      d63c96aa4dba2684e210d7893a9b166490b674a34e4acf95b8f80df4c04284d58c23c0295d27451fa971c1cb9beff1fc499057f5afab0a1d790dab9ac8cba00d

    • SSDEEP

      98304:V8ihICaLqaR7bM++vEeIML8+vTV6oQpSJxtN7h0w27jVGDLhM34CLCIqgFF:V5Iaa5bM3IML8+7VZ30dM584CL5nFF

    Score
    7/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      sillyboost_cracked_v1/silly.exe

    • Size

      31.7MB

    • MD5

      edf5231904acc98d0aa6e8dac9e6f57b

    • SHA1

      ab01505afc25fd2286fcc52a52a12c510b298fa4

    • SHA256

      4400e10819840cbbe5238f4cb4560ec2c5fa6dbfca6124d6065aa8df42506472

    • SHA512

      b4e01b5e2756fae3f7872d909bcb1e26618c6713d5428af6c96d08613154f65e749840ee07c3d6ce42af974a2c6c87b2bcd90e494e2e61722a377982b7070291

    • SSDEEP

      786432:EYSoQBHU9SuW1HMqG5qkOIRFbRBYvHjwouTtRLzx:EYSoQBD/NMqpk9FdKfjQtNx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Target

      s((��.A.pyc

    • Size

      1KB

    • MD5

      618a38462d407f1a7bf1306aac9f15e5

    • SHA1

      f1d667201337a546af7c850b09bb97deeef33001

    • SHA256

      70c2d3eda71556add3405a96c8f41d5c7c351a855d0138c3ee862aeb18281346

    • SHA512

      c4eef2c9b1f2fc9fb3316e62884322b307154d5037b9553169cf5b3abc0aba9e53812e6152296c4ce4190195f904866e4d0084b22e89a7d075a4ef851e9f7ecb

    Score
    1/10

MITRE ATT&CK Matrix ATT&CK v13

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

8
T1082

Query Registry

6
T1012

Virtualization/Sandbox Evasion

1
T1497

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks