General
-
Target
Render Leak.rar
-
Size
80.8MB
-
Sample
240601-ryvdsseg4t
-
MD5
820050cd084e630670e8b78579d44a5c
-
SHA1
20fff4868838a111705622dec6019905e8ff9782
-
SHA256
5108dffa7044826aae597f21cb2aaceed5d1b1fa4cb34a4494d1e500e578d436
-
SHA512
63d8f7246101fcb0c48291efa5cb36877a463e9fb9b043ca3dd6dac0733099387c582f7385e7e76f16801ee5820948e3c030d7c485d23c61c5a3f6a304dd5c83
-
SSDEEP
1572864:k4gPXMoGTgUtcBh2swu87JWVIAESWXzXiSpfVrVPFAbWUIN+0QPatdxx9E:k4AcpT6Bh2swug4DNWjSSpfVrVebAN+f
Static task
static1
Behavioral task
behavioral1
Sample
Render Leak/RenderPrivateExecutor.exe
Resource
win11-20240426-en
Behavioral task
behavioral2
Sample
Render Leak/RenderScriptLibarry.exe
Resource
win11-20240426-en
Malware Config
Extracted
gozi
Targets
-
-
Target
Render Leak/RenderPrivateExecutor.exe
-
Size
11KB
-
MD5
b255f2988558b9dbc3cc5a9814803364
-
SHA1
6cab200559f340364b3a3cea3cf321e7d32cec97
-
SHA256
f2a05b8bcb63042b9af36a0aa52bca8ae9de5664edc6bb1a46499ab9516e4ae5
-
SHA512
5bcf60d73069c15087cce591b4f3bf125b3649528758068859c6ef510b811c336962afdc20ee29a805a90fd7eff98ae7b97062035666144ae0e78d19796773d3
-
SSDEEP
192:598Jf9mV2Xm51Mpa0kGea0ICntHvl7QYrm/sxn8Ft1eSwcU1r:59AoMpauL0/vhQYKUxsjJd8
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
Render Leak/RenderScriptLibarry.exe
-
Size
80.8MB
-
MD5
e13f33e9de257f82bd239aa75336fe13
-
SHA1
e3031c13f89cb6c43fbc39464feb16238fc504af
-
SHA256
835e0e02dc6b136e69c5b9be40b35a18817a2f581c7e6f695a1add9d03cee60a
-
SHA512
2e669360e642ffe2531d425c45b1c0c45b2563bbbc844c73274dadf36cc13767275632aa85772972780e0aee7f561de7dbcb1da66c0235d831498e364ef74548
-
SSDEEP
1572864:Y4gPXMoGTgUtcBh2swu87JWVIAESWXzXiSpfVrVPFAbWUIN+0QPatdxx97:Y4AcpT6Bh2swug4DNWjSSpfVrVebAN+y
Score7/10-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops autorun.inf file
Malware can abuse Windows Autorun to spread further via attached volumes.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1