Overview

overview

10

Static

static

3

ResIL.dll

windows7-x64

1

ResIL.dll

windows10-1703-x64

3

ResIL.dll

windows10-2004-x64

1

ResIL.dll

windows11-21h2-x64

3

libGLESv2.dll

windows7-x64

3

libGLESv2.dll

windows10-1703-x64

3

libGLESv2.dll

windows10-2004-x64

3

libGLESv2.dll

windows11-21h2-x64

3

res_mods/1...zA.exe

windows7-x64

1

res_mods/1...zA.exe

windows10-1703-x64

1

res_mods/1...zA.exe

windows10-2004-x64

1

res_mods/1...zA.exe

windows11-21h2-x64

1

setup.exe

windows7-x64

10

setup.exe

windows10-1703-x64

10

setup.exe

windows10-2004-x64

10

setup.exe

windows11-21h2-x64

10

updates/Un...00.exe

windows7-x64

7

updates/Un...00.exe

windows10-1703-x64

7

updates/Un...00.exe

windows10-2004-x64

7

updates/Un...00.exe

windows11-21h2-x64

7

res/vehicl...sh.dds

windows7-x64

3

res/vehicl...sh.dds

windows10-1703-x64

3

res/vehicl...sh.dds

windows10-2004-x64

3

res/vehicl...sh.dds

windows11-21h2-x64

3

vivoxsdk.dll

windows7-x64

1

vivoxsdk.dll

windows10-1703-x64

1

vivoxsdk.dll

windows10-2004-x64

1

vivoxsdk.dll

windows11-21h2-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.zip

  • Size

    10.0MB

  • Sample

    240705-tsahjs1flk

  • MD5

    11a63abfc7daf5a1e02f16b62f1ac705

  • SHA1

    41c6d5a7777a98a84c46307146245ec881485339

  • SHA256

    7c0b7f0a258f8d17a0ca27c5e03ce84f35cc3bd433f3a77b1b7fd58f061c8a91

  • SHA512

    68b49c722ecf83bf085bd0f33639aeb91764084e25ba00653b2f0915291e974618e741325bf9dfbbf4caea99eca1eabb953afaf1918304f9a53eb97624808ff1

  • SSDEEP

    196608:7AcgLO3NhRW+RHdQnGdtMT0MywRD6uWfrs3/N95nLj9zfAxcoINmLNLf:AU/R/R9ptE0Myw56ucuvdByz5f

Score
10/10
amadeyexelastealerlummaredlinestealctofsee4dd39d@logscloudyt_bote76b71livetraffoclogsdiller cloud (tg: @logsdillabot)newbuildnewlogsnicezovdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

C2

77.105.135.107:3445

Extracted

Family

amadey

Version

8254624243

Botnet

e76b71

C2

http://77.91.77.81

Attributes
  • install_dir

    8254624243

  • install_file

    axplong.exe

  • strings_key

    90049e51fabf09df0d6748e0b271922e

  • url_paths

    /Kiru9gu/index.php

rc4.plain

Extracted

Family

redline

Botnet

LiveTraffoc

C2

4.185.56.82:42687

Extracted

Family

redline

Botnet

newlogs

C2

85.28.47.7:17210

Extracted

Family

redline

Botnet

newbuild

C2

185.215.113.67:40960

Extracted

Family

stealc

Botnet

ZOV

C2

http://40.86.87.10

Attributes
  • url_path

    /108e010e8f91c38c.php

Extracted

Family

stealc

Botnet

Nice

C2

http://85.28.47.30

Attributes
  • url_path

    /920475a59bac849d.php

Extracted

Family

amadey

Version

4.30

Botnet

4dd39d

C2

http://77.91.77.82

Attributes
  • install_dir

    ad40971b6b

  • install_file

    explorti.exe

  • strings_key

    a434973ad22def7137dbb5e059b7081e

  • url_paths

    /Hun4Ko/index.php

rc4.plain

Extracted

Family

redline

Botnet

@LOGSCLOUDYT_BOT

C2

185.172.128.33:8970

Extracted

Family

lumma

C2

https://radiationnopp.shop/api

https://civilizzzationo.shop/api

https://affecthorsedpo.shop/api

Targets

    • Target

      ResIL.dll

    • Size

      1.4MB

    • MD5

      ee360e256e2b836865cf02a6bdd9e5be

    • SHA1

      cd5118ed4363d7fc0027133622dddb37e1c6bbe6

    • SHA256

      f9be6aea3b674a79872683a6622c3ba77fe628f5a2e7f0a000d379e2a0318310

    • SHA512

      3fe6b9fbddcf402ebdebbd4bcfbb3a8d4632bb576dcb44246c1e248076c1f09e6926448217ca724d4febc8fc879838d0d378eb7cc9d1922381acf093ee2a680e

    • SSDEEP

      24576:NL18jX6HrufWRTVl5DzapRdSdRBgF6MP70D16OAGZvEjm5YgWj55Tr52AaUzhW:fr2eVD9dRBgOv+mYTF2AaUA

    Score
    3/10
    behavioral1behavioral2behavioral3behavioral4

    • Target

      libGLESv2.dll

    • Size

      4.4MB

    • MD5

      e307e977ebb1df8ba0957a412425ed23

    • SHA1

      e024a7a81e7f485058fec40fd0a745f0d7aecb1e

    • SHA256

      af4f66e79e0cc1e4254f023cfb7f0140561c7d4e38d9bcf6184e8e69b32540db

    • SHA512

      ab5f5beb80915385aea4b62337178c6dfa964edfb7e20c22d364c99cd323fa50df9e2c640d7850765e5a683a07034d6be8f61f47f06a8d1ee1f594da804e6def

    • SSDEEP

      49152:PnBb2OR3KPf/Et3msx8M+TsZ2idR/O0zql9Kgtg6QMsWFxtqhk/bivfhjgrQuIEt:h5qc/622iLAv1NQcoa/bY3g

    Score
    3/10
    behavioral5behavioral6behavioral7behavioral8

    • Target

      res_mods/1.23.0.0/scripts/client/gui/mods/7zA.exe

    • Size

      722KB

    • MD5

      43141e85e7c36e31b52b22ab94d5e574

    • SHA1

      cfd7079a9b268d84b856dc668edbb9ab9ef35312

    • SHA256

      ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

    • SHA512

      9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

    • SSDEEP

      12288:AwAxBpwU5gU+2/9dB5XlH1YAEa5OLW0TjLWG3rn0Yf5ogmn9X9Rf6TIALr22DIVM:AhY2gUfVH5XlVYzagW4/3rn0Y5zmzRfq

    Score
    1/10
    behavioral10behavioral11behavioral12behavioral9

    • Target

      setup.exe

    • Size

      794.4MB

    • MD5

      6d95cb153d6806c9f408fa1d17253001

    • SHA1

      38371c4df014bf03ea0430392202b78319f4b09f

    • SHA256

      a04defc1f6811ebb64907ad79c63c2ccedb2cba15afca05758f537768da7b934

    • SHA512

      0ab1800b639709648e82c9370e727999de9b5564107cd41b2d0ff5bbbb6f324a854ef5a5269cd8c3f3ac96c669014b9eac398c8902e47d779027b6726aec95d2

    • SSDEEP

      98304:dmg6rK+6/Murdncf8kJPBesTcbMl3sjWpoDELiDKzyeByA:doYMKaP5eqcbM5sOLiDheB

    Score
    10/10
    evasionamadeyexelastealerlummaredlinestealctofsee4dd39d@logscloudyt_bote76b71livetraffoclogsdiller cloud (tg: @logsdillabot)newbuildnewlogsnicezovdefense_evasiondiscoveryexecutioninfostealerpersistenceprivilege_escalationspywarestealertrojan

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Lumma Stealer

      An infostealer written in C++ first seen in August 2022.

      stealerlumma

    • Modifies firewall policy service

      evasion

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

      trojantofsee

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets service image path in registry

      persistence

    • Stops running service(s)

      evasionexecution

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral13behavioral14behavioral15behavioral16

    • Target

      updates/Uninstall/unins000.exe

    • Size

      1.5MB

    • MD5

      3ab31d714c50ae078f9eaba7b2497191

    • SHA1

      45c5e807e459d95618c03a6ded9debe1d70013f3

    • SHA256

      4f1ad8d1547c95e51defcb129c5dcf2568c9735524ab3face5f0fafc5bcbc0eb

    • SHA512

      f89961fb914796b07da8f224317bb794f9cf0cc8b40e635823b0bb8a6713048c5b2de08e1c4e9dd4f81c6f579e3bc3551a9342ba34db9a6de1c0d6755ec140ae

    • SSDEEP

      24576:0H9/gqpQYze0XKvc4BYCsCS3D4kjiIUjyeyXEDq8UbVlc3GYgl4KvjKMrexLxB:cIEJxCWluyZ8UbMZz

    Score
    7/10

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral17behavioral18behavioral19behavioral20

    • Target

      res/vehicles/tank_crash.dds

    • Size

      192B

    • MD5

      4f4d7fe02a793313fb9966531f7076e0

    • SHA1

      b352b14c3fc589541504c11257ccf14928c2f322

    • SHA256

      c9d19ed823de4bafecb5b16f999239e9f59ed1c20e596da4108bfe74e51d864a

    • SHA512

      3fb3bef437ffbf1f7bfe2776aadd214e4f17aaec82dc6b7ce6cb595cb0cbfb4d3ede13dd838f9786f23e9f8f14a62253bfb55a99efaef6e18733823790add248

    Score
    3/10
    behavioral21behavioral22behavioral23behavioral24

    • Target

      vivoxsdk.dll

    • Size

      3.9MB

    • MD5

      2e61c567d528d08cef62b718cb8aa82f

    • SHA1

      43d40774fc9495f9be27f8176b6d1816241237de

    • SHA256

      a887805bf1286725ab930359086fb3302124f5ff81b2d9f43633dc02b97c7577

    • SHA512

      17c9d4fe2d03e2723f37534701238688443041fe75ac77e7cfd8aa1b4a3885fb92dcdb23186a7415119e91def9e6fb6fdd27a7cf2fb810a32ed236ba2230d2b0

    • SSDEEP

      98304:vkp0f3BzK7rh8Kg5IILhzkxJ4dFumlwtDCv49rMe3G0MxVp:cCf3tK7rh8Kg5IILhzhlVp

    Score
    1/10
    behavioral25behavioral26behavioral27behavioral28

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

3
T1562

Disable or Modify System Firewall

2
T1562.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

8
T1012

System Information Discovery

8
T1082

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

4
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks

static1

Score
3/10

behavioral1

Score
1/10

behavioral2

Score
3/10

behavioral3

Score
1/10

behavioral4

Score
3/10

behavioral5

Score
3/10

behavioral6

Score
3/10

behavioral7

Score
3/10

behavioral8

Score
3/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

evasion
Score
10/10

behavioral14

evasion
Score
10/10

behavioral15

amadeyexelastealerlummaredlinestealctofsee4dd39d@logscloudyt_bote76b71livetraffoclogsdiller cloud (tg: @logsdillabot)newbuildnewlogsnicezovdefense_evasiondiscoveryevasionexecutioninfostealerpersistenceprivilege_escalationspywarestealertrojan
Score
10/10

behavioral16

evasion
Score
10/10

behavioral17

Score
7/10

behavioral18

Score
7/10

behavioral19

Score
7/10

behavioral20

Score
7/10

behavioral21

Score
3/10

behavioral22

Score
3/10

behavioral23

Score
3/10

behavioral24

Score
3/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10