Overview

overview

10

Static

static

3

neverlose crack.exe

windows10-2004-x64

10

neverlose crack.exe

windows7-x64

10

neverlose crack.exe

windows10-1703-x64

10

neverlose crack.exe

windows10-2004-x64

10

neverlose crack.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    neverlose crack.exe

  • Size

    295KB

  • Sample

    240902-k94y2sxarq

  • MD5

    01cc2b2bcef2f12ab9a10905f999027d

  • SHA1

    c62bb9b1532dc3f8638cc1ab5eb3b5f5185c2b40

  • SHA256

    d51154dab49e7c3199cb9fd75aa5c7f9eb58ed74c8ea5eb40601ee484dc0b578

  • SHA512

    025af3ae3fa059e364ef933cff47327436f08fb18379377caf7e71ced86f2c8adb4f56a79a643f3072c21b06e9e9b97f5945b9bdff1d29e798c6d9a5c3360d5c

  • SSDEEP

    6144:DVOuy8Et9vsiTzIpoOhYyC8M4i7jyVvdOe4BWH5Y5/zu4cCGb19e:bFigGOTCz17jy9Yer6dzIpi

Score
10/10
asyncratnjratumbralxwormvictimcredential_accessdiscoveryevasionexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2

Extracted

Family

asyncrat

Botnet

Victim

C2

127.0.0.1:1504

127.0.0.1:44256

meeting-compound.gl.at.ply.gg:1504

meeting-compound.gl.at.ply.gg:44256
Attributes
  • delay

    1

  • install

    true

  • install_file

    System.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

C2

meeting-compound.gl.at.ply.gg:1504

Mutex

f8ff2d3def0ea5927a14148fb1c0ef4a

Attributes
  • reg_key

    f8ff2d3def0ea5927a14148fb1c0ef4a

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

xworm

C2

meeting-compound.gl.at.ply.gg:44256

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Targets

    • Target

      neverlose crack.exe

    • Size

      295KB

    • MD5

      01cc2b2bcef2f12ab9a10905f999027d

    • SHA1

      c62bb9b1532dc3f8638cc1ab5eb3b5f5185c2b40

    • SHA256

      d51154dab49e7c3199cb9fd75aa5c7f9eb58ed74c8ea5eb40601ee484dc0b578

    • SHA512

      025af3ae3fa059e364ef933cff47327436f08fb18379377caf7e71ced86f2c8adb4f56a79a643f3072c21b06e9e9b97f5945b9bdff1d29e798c6d9a5c3360d5c

    • SSDEEP

      6144:DVOuy8Et9vsiTzIpoOhYyC8M4i7jyVvdOe4BWH5Y5/zu4cCGb19e:bFigGOTCz17jy9Yer6dzIpi

    Score
    10/10
    asyncratnjratumbralxwormvictimcredential_accessdiscoveryevasionexecutionpersistenceratspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detect Umbral payload

    • Detect Xworm Payload

    • UAC bypass

      evasiontrojan

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in Drivers directory

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3behavioral4behavioral5

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks