General

  • Target

    Growlauncher.exe

  • Size

    105.4MB

  • Sample

    240811-1ktpsatfpd

  • MD5

    55b5c5a5e18388025249a2a2a24c09df

  • SHA1

    1c10684b24c605f805bfd94f8ee74544f32b98d8

  • SHA256

    c9e0b0b6d477d32ab604417e59bb37586ecb3d708ce40481239bafaa425e2823

  • SHA512

    db04d0c7248b6a4963a781d466d7d808270276b9335bcf26afe60ba37102fb7a3ffb4a167563da03dbbbd12d431f0871cfaa23e9bed6caaaeec96d2ffc3a82b7

  • SSDEEP

    3145728:+vbzmWSkB05awcf0t3MgjQwIIuUjOE5snfdC0Y0T:ISki88Mph00fH

Malware Config

Targets

    • Target

      Growlauncher.exe

    • Size

      105.4MB

    • MD5

      55b5c5a5e18388025249a2a2a24c09df

    • SHA1

      1c10684b24c605f805bfd94f8ee74544f32b98d8

    • SHA256

      c9e0b0b6d477d32ab604417e59bb37586ecb3d708ce40481239bafaa425e2823

    • SHA512

      db04d0c7248b6a4963a781d466d7d808270276b9335bcf26afe60ba37102fb7a3ffb4a167563da03dbbbd12d431f0871cfaa23e9bed6caaaeec96d2ffc3a82b7

    • SSDEEP

      3145728:+vbzmWSkB05awcf0t3MgjQwIIuUjOE5snfdC0Y0T:ISki88Mph00fH

    • Detect Umbral payload

    • Detects Eternity stealer

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • Growtopia

      Growtopa is an opensource modular stealer written in C#.

    • Modifies Windows Defender Real-time Protection settings

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Enumerates VirtualBox DLL files

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Windows security modification

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks