Overview

overview

10

Static

static

3

RuneOnlineWorld.exe

windows7-x64

10

RuneOnlineWorld.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RuneOnlineWorld.exe.vir

  • Size

    80.4MB

  • Sample

    240818-tlvj5s1hqa

  • MD5

    8206ddbe6e044fa86076be844877bbb0

  • SHA1

    66b447354eea18bcb96f66081328c50730a958f7

  • SHA256

    cdfe4f1c994364e3f04af3520e2a7768615c998555ff01007524223fbc2a6814

  • SHA512

    90f203bb7043d1fd9a7aa6d2189882bfc9620dd24a7f0d3d12ee929fd7ae68c816a6ecc4efa0d90e3c67de9193c46e01f0731d2edcbdd8bb66eac7a2d7753714

  • SSDEEP

    1572864:ZBfPkJopbdVrC34v03yf5Ufh4E0EHeftM0aWveVNOoF9nLHdc9qx:ZBf3pbdiQ4mEV0Fv7ojnL9cwx

Score
10/10
hijackloaderstealcvoidwalker14credential_accessdiscoveryexecutionloaderspywarestealer

Malware Config

Extracted

Family

stealc

Botnet

voidwalker14

C2

http://89.105.198.203

Attributes
  • url_path

    /01f0f648c0c07354.php

Targets

    • Target

      RuneOnlineWorld.exe.vir

    • Size

      80.4MB

    • MD5

      8206ddbe6e044fa86076be844877bbb0

    • SHA1

      66b447354eea18bcb96f66081328c50730a958f7

    • SHA256

      cdfe4f1c994364e3f04af3520e2a7768615c998555ff01007524223fbc2a6814

    • SHA512

      90f203bb7043d1fd9a7aa6d2189882bfc9620dd24a7f0d3d12ee929fd7ae68c816a6ecc4efa0d90e3c67de9193c46e01f0731d2edcbdd8bb66eac7a2d7753714

    • SSDEEP

      1572864:ZBfPkJopbdVrC34v03yf5Ufh4E0EHeftM0aWveVNOoF9nLHdc9qx:ZBf3pbdiQ4mEV0Fv7ojnL9cwx

    Score
    10/10
    hijackloaderstealcvoidwalker14discoveryexecutionloaderstealercredential_accessspyware

    • Detects HijackLoader (aka IDAT Loader)

    • HijackLoader

      HijackLoader is a multistage loader first seen in 2023.

      loaderhijackloader

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks