Overview

overview

10

Static

static

7

Vorion App Setup.exe

windows7-x64

10

Vorion App Setup.exe

windows10-2004-x64

10

PenImc_cor3.dll

windows7-x64

1

PenImc_cor3.dll

windows10-2004-x64

1

System.Buffers.dll

windows7-x64

1

System.Buffers.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Vorion App Setup.exe

  • Size

    47.3MB

  • Sample

    240606-kp6bdaca5y

  • MD5

    cab622641242a6f2fcbb8a1ae2698fd2

  • SHA1

    9d56b54643706787c16f0cae4e9e565c1e1a49ec

  • SHA256

    f3176e0859ba92049dcd57685c1b5f49b97183ff49fcc79f2ce4ad2b31d2d843

  • SHA512

    324ad8a7669d15ef19d0c1d7b362d17f2118414b4e8672921fe45994db0425200a38e26fc4c169ecb19f7c4aa8233fc5dfd32c3cb32e600cc031139d0e530cf1

  • SSDEEP

    786432:MXCn7F7DZHw0SLuXUG6fssNb8ReGJqznv+DGODFjupn5oZfikV6PH2fLbTvkw0Y7:MyRPZQ5LKQ0sNGWO1FpZf+PH67vkoGKL

Score
10/10
hijackloaderrhadamanthysstealcvor4discoveryexecutionloaderspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

vor4

C2

http://45.88.77.28

Attributes
  • url_path

    /f6a9d3a0017c37c9.php

Targets

    • Target

      Vorion App Setup.exe

    • Size

      47.3MB

    • MD5

      cab622641242a6f2fcbb8a1ae2698fd2

    • SHA1

      9d56b54643706787c16f0cae4e9e565c1e1a49ec

    • SHA256

      f3176e0859ba92049dcd57685c1b5f49b97183ff49fcc79f2ce4ad2b31d2d843

    • SHA512

      324ad8a7669d15ef19d0c1d7b362d17f2118414b4e8672921fe45994db0425200a38e26fc4c169ecb19f7c4aa8233fc5dfd32c3cb32e600cc031139d0e530cf1

    • SSDEEP

      786432:MXCn7F7DZHw0SLuXUG6fssNb8ReGJqznv+DGODFjupn5oZfikV6PH2fLbTvkw0Y7:MyRPZQ5LKQ0sNGWO1FpZf+PH67vkoGKL

    Score
    10/10
    hijackloaderstealcvor4discoveryexecutionloaderspywarestealerrhadamanthys

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Downloads MZ/PE file

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PenImc_cor3.dll

    • Size

      158KB

    • MD5

      362e037c4be1cb28fac25612e9be029d

    • SHA1

      4a11ab39dbd0dba5480f54324c58f8294b19ce5f

    • SHA256

      f95b51b5bee746ea3430a277f0473f42e4e22fc12b8dbfc719346cee579b80ff

    • SHA512

      945b6cc6cba7742323b6cc023eb78b227180bf8a0f8c134871948410b48d9399ae68f52ef80e18945fb018508f92ae6da9584c75c6f12fe06f6e86fdea4611d6

    • SSDEEP

      3072:OzAUq2kMBlUb8BQLBzDUw7aaHSuEmUgPuoATZ+AiRvYY4ZmoJ:OzHkMTvmLtDUw2huEmd2LbYvi

    Score
    1/10
    behavioral3behavioral4

    • Target

      System.Buffers.dll

    • Size

      15KB

    • MD5

      0ee3421b5e820a5eb84aa26fc69409d1

    • SHA1

      7d7af7d3d87b33e3f65a3cdfa84bb073e0b91eb1

    • SHA256

      690ef287a0331844cc83fad41417992b5bf65590cdf803377802dd94a05cc0df

    • SHA512

      27442ddc8eb876f76aeaf4d80f479d05dab6817657f50699527b163e855561812f48f4a11d5fc84c148d5f928cfc91476686eeb479580e2fe1f71a85980bffb9

    • SSDEEP

      192:z8lEywWN2WSuWXebPpUNTQHnhWgN7agW+5E17weX01k9z3AIiajs:zCqWN2WSTb2HRN7Va1nR9zZiag

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks