General
-
Target
Vorion App Setup.exe
-
Size
47.3MB
-
Sample
240606-kp6bdaca5y
-
MD5
cab622641242a6f2fcbb8a1ae2698fd2
-
SHA1
9d56b54643706787c16f0cae4e9e565c1e1a49ec
-
SHA256
f3176e0859ba92049dcd57685c1b5f49b97183ff49fcc79f2ce4ad2b31d2d843
-
SHA512
324ad8a7669d15ef19d0c1d7b362d17f2118414b4e8672921fe45994db0425200a38e26fc4c169ecb19f7c4aa8233fc5dfd32c3cb32e600cc031139d0e530cf1
-
SSDEEP
786432:MXCn7F7DZHw0SLuXUG6fssNb8ReGJqznv+DGODFjupn5oZfikV6PH2fLbTvkw0Y7:MyRPZQ5LKQ0sNGWO1FpZf+PH67vkoGKL
Static task
static1
Behavioral task
behavioral1
Sample
Vorion App Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Vorion App Setup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
PenImc_cor3.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
PenImc_cor3.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
System.Buffers.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
System.Buffers.dll
Resource
win10v2004-20240426-en
Malware Config
Extracted
stealc
vor4
http://45.88.77.28
-
url_path
/f6a9d3a0017c37c9.php
Targets
-
-
Target
Vorion App Setup.exe
-
Size
47.3MB
-
MD5
cab622641242a6f2fcbb8a1ae2698fd2
-
SHA1
9d56b54643706787c16f0cae4e9e565c1e1a49ec
-
SHA256
f3176e0859ba92049dcd57685c1b5f49b97183ff49fcc79f2ce4ad2b31d2d843
-
SHA512
324ad8a7669d15ef19d0c1d7b362d17f2118414b4e8672921fe45994db0425200a38e26fc4c169ecb19f7c4aa8233fc5dfd32c3cb32e600cc031139d0e530cf1
-
SSDEEP
786432:MXCn7F7DZHw0SLuXUG6fssNb8ReGJqznv+DGODFjupn5oZfikV6PH2fLbTvkw0Y7:MyRPZQ5LKQ0sNGWO1FpZf+PH67vkoGKL
-
Detects HijackLoader (aka IDAT Loader)
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext
-
-
-
Target
PenImc_cor3.dll
-
Size
158KB
-
MD5
362e037c4be1cb28fac25612e9be029d
-
SHA1
4a11ab39dbd0dba5480f54324c58f8294b19ce5f
-
SHA256
f95b51b5bee746ea3430a277f0473f42e4e22fc12b8dbfc719346cee579b80ff
-
SHA512
945b6cc6cba7742323b6cc023eb78b227180bf8a0f8c134871948410b48d9399ae68f52ef80e18945fb018508f92ae6da9584c75c6f12fe06f6e86fdea4611d6
-
SSDEEP
3072:OzAUq2kMBlUb8BQLBzDUw7aaHSuEmUgPuoATZ+AiRvYY4ZmoJ:OzHkMTvmLtDUw2huEmd2LbYvi
Score1/10 -
-
-
Target
System.Buffers.dll
-
Size
15KB
-
MD5
0ee3421b5e820a5eb84aa26fc69409d1
-
SHA1
7d7af7d3d87b33e3f65a3cdfa84bb073e0b91eb1
-
SHA256
690ef287a0331844cc83fad41417992b5bf65590cdf803377802dd94a05cc0df
-
SHA512
27442ddc8eb876f76aeaf4d80f479d05dab6817657f50699527b163e855561812f48f4a11d5fc84c148d5f928cfc91476686eeb479580e2fe1f71a85980bffb9
-
SSDEEP
192:z8lEywWN2WSuWXebPpUNTQHnhWgN7agW+5E17weX01k9z3AIiajs:zCqWN2WSTb2HRN7Va1nR9zZiag
Score1/10 -