Overview

overview

7

Static

static

3

BetterShad....0.exe

windows7-x64

7

BetterShad....0.exe

windows10-2004-x64

7

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

BetterShaders.exe

windows10-2004-x64

7

LICENSES.c...m.html

windows7-x64

1

LICENSES.c...m.html

windows10-2004-x64

1

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/elevate.exe

windows7-x64

1

resources/elevate.exe

windows10-2004-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows10-2004-x64

1

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BetterShaders 3.8.0.exe

  • Size

    71.3MB

  • Sample

    240523-ksja1sbc6z

  • MD5

    e743e372a9ad2c75482b9c1a580a773d

  • SHA1

    85783e01da015d56e27b584079eca6529107944c

  • SHA256

    c0c47f91e18fc087051c2172c74ae96e14e01fadb12af47d3e301e99e22da8c1

  • SHA512

    831ba32e260cc6fd99c04757118e31c999ce7f8a04a28765f5b1b91d817b9f43d12408fcd76710f2d8738cfbbe688b01f4b2b0033972bc2db095a1b6663c7ce1

  • SSDEEP

    1572864:ZVg6PFyMnotsYEb/aSY+NPZS7oYpbswqeHHVBqXda6LpVAI6x7:ZVnZnwsYGaTe4lRqeH1BqXdt4I6x7

Score
7/10
spywarestealer

Malware Config

Targets

    • Target

      BetterShaders 3.8.0.exe

    • Size

      71.3MB

    • MD5

      e743e372a9ad2c75482b9c1a580a773d

    • SHA1

      85783e01da015d56e27b584079eca6529107944c

    • SHA256

      c0c47f91e18fc087051c2172c74ae96e14e01fadb12af47d3e301e99e22da8c1

    • SHA512

      831ba32e260cc6fd99c04757118e31c999ce7f8a04a28765f5b1b91d817b9f43d12408fcd76710f2d8738cfbbe688b01f4b2b0033972bc2db095a1b6663c7ce1

    • SSDEEP

      1572864:ZVg6PFyMnotsYEb/aSY+NPZS7oYpbswqeHHVBqXda6LpVAI6x7:ZVnZnwsYGaTe4lRqeH1BqXdt4I6x7

    Score
    7/10
    spywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    behavioral5behavioral6

    • Target

      BetterShaders.exe

    • Size

      168.8MB

    • MD5

      26e51744ce941b55c7653e9ab229a18f

    • SHA1

      bd08f0f5b3f64aba844128dfb2d77312bbef8b46

    • SHA256

      3bcf3c61e80cc6346a8af84c89ca2c50a9eef2b6b915c6c73fff8725f1c6b118

    • SHA512

      a308443b59a0a5713b99474e30f93a7f8cc98120c11c2f9f5884d5aa61bbf0073a6cfb1c67d676d64656988802fbf1bb8a1f5234df09b1fd2c36f5f7d3fed0a4

    • SSDEEP

      1572864:du3SXrDDmfijsEGl0y+Mgp4cLTRN/33i/oHHl9sqPwqZdsJ2DWw3h9JByba/:/XX++LYYyba

    Score
    7/10
    spywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • An obfuscated cmd.exe command-line is typically used to evade detection.

    behavioral7

    • Target

      LICENSES.chromium.html

    • Size

      9.8MB

    • MD5

      b620990ddbd932d6475152e5a833860e

    • SHA1

      70de0b3d7ffa77900f685c1788b32997a61ec386

    • SHA256

      921452a09f92f10da4cfef0521acd6ee6c689c630661ed35189e793de2c99fc5

    • SHA512

      ba84b5e6281dd64d5da41d0db35942b6c0b1ee6b47d24dedd5006be40b2d22d90f58dc653e17893347900fb1bfcd37b0f2fff5b532175ccacc3b63d98fe42ac7

    • SSDEEP

      24576:K+QQM6Ms6x5d1n+wRhXe1BmfEl6k6T6W6b6f6V6GeGj/3BIpx:LUcBeGdY

    Score
    1/10
    behavioral8behavioral9

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      a7b7470c347f84365ffe1b2072b4f95c

    • SHA1

      57a96f6fb326ba65b7f7016242132b3f9464c7a3

    • SHA256

      af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

    • SHA512

      83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

    • SSDEEP

      49152:hCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRN1:oG2QCwmHjnog/pzHAo/Ayc

    Score
    1/10
    behavioral10

    • Target

      ffmpeg.dll

    • Size

      2.6MB

    • MD5

      3b74a017d60d588937ccb7453ee3df14

    • SHA1

      37505b193d45986daccb3e4c44f40675d0b4c40a

    • SHA256

      395fc47fdafec2e93c3534da579393466703ff6f9380ca6d2c2e7628462d40ce

    • SHA512

      38efc1f695375bc6599848b4a5d10aba8571c618b8ecc3a007dd953c9e724e9d7839eb27e2cefd2c482bd9f5f363733563a592b8fa8af16e311644e44bab0872

    • SSDEEP

      49152:/C8lp7/1UNZrhOP9YJQHUOWwGen6yfW0OfShPdb5x:4hOVYJiUOWwQaPB

    Score
    1/10
    behavioral11

    • Target

      libEGL.dll

    • Size

      469KB

    • MD5

      c7e24104c3d3e96b15fd0e309208f6d5

    • SHA1

      974f73ce194123d7a024aa1dcfa3cbf9f0ceec0c

    • SHA256

      5264e6461af122eced8ef3ce198c1c40851839d987f1e974e5c760dd847b9552

    • SHA512

      e7d8203c895aaff2e29d870979fecb2b1ccf8334fa494341bde95cebb80f51893998ed65526dd433daad7a600dc14c97417c7069cc3db9516f741280d11609b0

    • SSDEEP

      6144:pmfOX/zRR8yWTDLMoqbAIbqkpXy0/KQPJRIJAG:0czRSyWTDY6IlpXy0/3hIH

    Score
    1/10
    behavioral12

    • Target

      libGLESv2.dll

    • Size

      7.6MB

    • MD5

      7b6eb3934932d133f25cfda71c2cf129

    • SHA1

      da9dfc18f03667bdc950b11cdb7db31d2417d27c

    • SHA256

      bb4625ec2c0811fc55f66904567035d8533d6a3b88250ee2dd848cbccd6c5dbb

    • SHA512

      059d97edb4ff4d380ce1c955312ea38509560f279b560108e7237197e80172bf38da0eda7f821efaeaf6106366faa0c5b29497f973773ee16c9eb41d5eda1b8d

    • SSDEEP

      98304:fYV7tX7CQNabuCLAqpM4x2hD/mMg3EBdsXm3iw3K:uldFEAOCiw

    Score
    1/10
    behavioral13

    • Target

      resources/elevate.exe

    • Size

      105KB

    • MD5

      792b92c8ad13c46f27c7ced0810694df

    • SHA1

      d8d449b92de20a57df722df46435ba4553ecc802

    • SHA256

      9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

    • SHA512

      6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

    • SSDEEP

      3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l

    Score
    1/10
    behavioral14behavioral15

    • Target

      vk_swiftshader.dll

    • Size

      5.1MB

    • MD5

      063f0a33deddca0a6599386c12ee57a5

    • SHA1

      6e05dfdfa7d5e5f35b593662227055011356ab19

    • SHA256

      1bcf8e101bc58413bf7d64fb757cd2627b91a2b7830213657a1f0237b1a4980d

    • SHA512

      15eb123bffde32d4d2ca22802320ecd697d091824949019420c082c2d57767aa04728874dc79bd02835e88ec7b4104f3553b4f09478cfee066273cdaacd916b2

    • SSDEEP

      49152:MoaTaX1+4J7dN1uB/t4ABL5V1v+3+mFcpZBqtpM5KZwFlox0ikAiJb1XQGBliYDj:OeX1+qULMSx17nb24

    Score
    1/10
    behavioral16

    • Target

      vulkan-1.dll

    • Size

      935KB

    • MD5

      fb8cb93daa4650ff759a96108c972bc9

    • SHA1

      5bc7321f696a198496f9adac4246d139b7a5ca2e

    • SHA256

      3389cf4e90f961466f4d0a226e649de628a537f0c2c1f6f444473f8330d94c57

    • SHA512

      f05270c24583e3141fbceec64761156d561b8dcd334cfdaf2a42e5cedb478f1f75b42341b2bdb0e0daa011d0d1701890e91e8c110c90b06d664bde932a5f5560

    • SSDEEP

      24576:n7t2bkeR6V9+8T28zEQ6Z5W1DYsHq6g3P0zAk7mNkb:nYAeR6VY868zEQ6Z5W1DYsHq6g3P0zA0

    Score
    1/10
    behavioral17

    • Target

      $PLUGINSDIR/nsis7z.dll

    • Size

      424KB

    • MD5

      80e44ce4895304c6a3a831310fbf8cd0

    • SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

    • SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    • SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    • SSDEEP

      6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck

    Score
    3/10
    behavioral18behavioral19

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Process Discovery

2
T1057

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks