empyrean | 6b55434b24ebda6659479358d5d66ae7ee02552656234a36fcd2a7c7c4b852c9 | Triage

Submit
Reports

Overview

overview

Static

static

TROLLLOLL-...in.exe

windows7-x64

7

TROLLLOLL-...in.exe

windows10-2004-x64

7

Sharing

General

Target

TROLLLOLL-main.zip
Size

78.7MB
Sample

240708-nl22bsygnh
MD5

71e713dd3adb5162493877d698767493
SHA1

75c04f6ad957c7a5057963339476408ea8e507db
SHA256

6b55434b24ebda6659479358d5d66ae7ee02552656234a36fcd2a7c7c4b852c9
SHA512

2b67cbea20eca6714390c4cd34a2452a726b41eacda0cc9729224cbc6ec6169fdda2c6857be386f620ffb1bf50e3f31e21f26eda2ef5fa2e8e8996590a5c7b4e
SSDEEP

1572864:viu5xhyD0sNAD5YIE7HhN9n0NeTBXbt6hID3dYdjacB2RVgZ06Kmj7uqi0e:vnV4ANYIk3x3lXJ6o+d2c8b+0dmPje

Score

10^/10

empyrean quasar skuld stealerium test persistence privilege_escalation pyinstaller spyware stealer upx

Static task

static1

pyinstaller test stealerium quasar empyrean skuld

8 signatures

Behavioral task

behavioral1

Sample

TROLLLOLL-main/main.exe

Resource

win7-20240704-en

windows7-x64

4 signatures

150 seconds

Behavioral task

behavioral2

Sample

TROLLLOLL-main/main.exe

Resource

win10v2004-20240704-en

persistence privilege_escalation spyware stealer upx

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1229897378534785024/w913pfbmcplo1dycWrPCWhWLxOF9dTH_FifkgM7MDcaPqzxlJtqs63z7GsIqXUNRUY1Z

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

C2

47.134.26.200:4782

193.161.193.99:23325

Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes

encryption_key
8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MS Build Tools
subdirectory
Microsoft-Build-Tools

Extracted

Family

skuld

C2

https://discord.com/api/webhooks/1241946879428792391/E4kLuT4H7xIgf8x5LgPsoaZ6xw6Se0ShMgu1D6zvkZ4oHp-vBo21j2Pn6QWrNlMwFzCF

Targets

- Target
  
  TROLLLOLL-main/main.exe
- Size
  
  18.5MB
- MD5
  
  69a7f0f924be865d872125bd54dfca3d
- SHA1
  
  54994d0074cc1819575f9ba1e45c9bd8b2232ab6
- SHA256
  
  5a4163a2499b68630f50b86446ef82d0e0e64c2f89202038042765adedc374bd
- SHA512
  
  be98b08245d9ac83e5bcdea08fbf9b55097b00c9fb8d958f291ecc5cb3e3f9a8cfd10376262eef1691c68214c5246822d010ce29a94d67c49fdc5c6b8c259c87
- SSDEEP
  
  393216:VqPnLFXlrPTQ8DOETgs77fGFUgUbkxvExu/36q:MPLFXNbQhE7XXIGkb
Score

7^/10

upx persistence privilege_escalation spyware stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Netsh Helper DLL

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

pyinstallerteststealeriumquasarempyreanskuld

behavioral1

behavioral2

persistenceprivilege_escalationspywarestealerupx

© 2018-2024

Terms | Privacy