Overview

overview

10

Static

static

3

!Card Chec....1.exe

windows7-x64

7

!Card Chec....1.exe

windows10-2004-x64

10

!Card Chec...ip.dll

windows7-x64

1

!Card Chec...ip.dll

windows10-2004-x64

1

!Card Chec...py.dll

windows7-x64

1

!Card Chec...py.dll

windows10-2004-x64

1

!Card Chec...ol.dll

windows7-x64

1

!Card Chec...ol.dll

windows10-2004-x64

1

!Card Chec...er.dll

windows7-x64

1

!Card Chec...er.dll

windows10-2004-x64

1

!Card Chec...ET.dll

windows7-x64

1

!Card Chec...ET.dll

windows10-2004-x64

1

!Card Chec...es.dll

windows7-x64

1

!Card Chec...es.dll

windows10-2004-x64

1

!Card Chec...on.dll

windows7-x64

1

!Card Chec...on.dll

windows10-2004-x64

1

!Card Chec...ta.dll

windows7-x64

3

!Card Chec...ta.dll

windows10-2004-x64

3

!Card Chec...32.exe

windows7-x64

1

!Card Chec...32.exe

windows10-2004-x64

3

!Card Chec...xt.exe

windows7-x64

3

!Card Chec...xt.exe

windows10-2004-x64

3

!Card Chec...ib.exe

windows7-x64

6

!Card Chec...ib.exe

windows10-2004-x64

6

!Card Chec...rp.dll

windows7-x64

1

!Card Chec...rp.dll

windows10-2004-x64

1

!Card Chec...op.dll

windows7-x64

1

!Card Chec...op.dll

windows10-2004-x64

1

!Card Chec...rp.dll

windows7-x64

3

!Card Chec...rp.dll

windows10-2004-x64

3

!Card Chec...op.dll

windows7-x64

3

!Card Chec...op.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    6b21f3653edd8347b58d984264e71dc8a81800f7c8e2610e0fdbfee09459fb1a

  • Size

    78.8MB

  • Sample

    240906-mr3z5ssdmc

  • MD5

    f3a1ffd8887274a7b230ddf1cfba6174

  • SHA1

    7a7d05d7b8f37bb92b0012830ad76097bf873144

  • SHA256

    6b21f3653edd8347b58d984264e71dc8a81800f7c8e2610e0fdbfee09459fb1a

  • SHA512

    9f9b287ccad07b7f1a38219f4e8aee31fcd0ca262b85fb0dbbf325387fd9f22bb5191a6a4aab5746423c9c9572dc0ad4066170291b0abb96aab2e5de0491d3d0

  • SSDEEP

    1572864:WBHReDM6aUNjcnT53cbbganecDN4hn0GNbLxltGI5o+kBIkKP3nP:WOgVs7/gaecDN4hn0YvR5oszvnP

Score
10/10
exelastealercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      !Card Checker by Mirai/Cracked by CRAX-it v3.0.1.exe

    • Size

      72.0MB

    • MD5

      6a2030444c1f3d86deec3e47ad9f8d05

    • SHA1

      241d5b89f494a7602dea839a63e71a06762b2d4e

    • SHA256

      1d4cb2cb2a9dedd9558e29c069a9731aec5f812bb4f80d2e7eb2e80fb4bfb0d8

    • SHA512

      160ab0e00bf95083720f63b23b345c66b19a382ea32ae5c045e7159532223f0d043535d2a90b95682c70ca8276928bc18d9fa6c3e9436708b6f67986d161ba7c

    • SSDEEP

      1572864:4TdqoapvcLvFPI2RYOC+GwHubz43ycE3BbToHC3PVmuUSN+:Evi2ZGKCBovuLM

    Score
    10/10
    discoverypyinstallerupxexelastealercollectioncredential_accessdefense_evasionevasionexecutionpersistenceprivilege_escalationspywarestealer

    • Exela Stealer

      Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.

      stealerexelastealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Enumerates processes with tasklist

      discovery

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion
    behavioral1behavioral2

    • Target

      !Card Checker by Mirai/DotNetZip.dll

    • Size

      462KB

    • MD5

      79c304e621ffbb4611b698dc2fb9dc41

    • SHA1

      30413ad0c9e2f955ec43ed9dceb156edb11c419c

    • SHA256

      46103e4d053be472f1c85223a43e179a5f022df14607febf6f48837473bd3e9d

    • SHA512

      fef8764cb5f15444ef8dc6877bfd45133af019a87158c701a95c87f3297e32e27607daddbf4aa365133d60fc3f449acfa4f5c003ffd478c59d7940154d9ab5a9

    • SSDEEP

      6144:iF4lenKdxBoW6iev7zBIL09vdGtSV41kJDsTDDpBnse6OVxLV/xgaqYN3fmxalo:iF4lqKdxBdheDES4csRBse6sfzVca

    Score
    1/10
    behavioral3behavioral4

    • Target

      !Card Checker by Mirai/Entropy.dll

    • Size

      104KB

    • MD5

      d45282966db7731687135c76963634a1

    • SHA1

      8f217e0b15846a45f7e6e528e5f99ef425efe4e3

    • SHA256

      68310ea51caca38b53b4ae3d5eb7a24127da4b1021c36963e77a0dacf4aeff73

    • SHA512

      98f1035130a3126fd1613f1ab23c5328a763d56dd2b211d12ab2a17529a3ed1c2542a8f00cfa3ca7224e1d7d9e2dff378dd90a8adcd72f1566175308c038d943

    • SSDEEP

      1536:GaQAfp1LJb4vLl8JWOKweLZjdtey2+0A1afQ9EUWtgCNC40fa:Gifp1LJcjl8JWOKweRdEykAWtgCGa

    Score
    1/10
    behavioral5behavioral6

    • Target

      !Card Checker by Mirai/HandyControl.dll

    • Size

      1.7MB

    • MD5

      f68e64637ac34443ab8fb83bbeab2bf7

    • SHA1

      82e5a63b21f02ff3ac651a203523fb473a1aead5

    • SHA256

      471a6ce1aff5b635df599f21cf3e4894d9e893ec9d42d733f9f5c3672bdb8383

    • SHA512

      e41119634301244331eae3ed13b3a739e68b2a45a1f8c08949d37bce7d189687568cc19c382749ab906ef536305bd1f14d4462e2d27667af256fb047d1eb4eb0

    • SSDEEP

      24576:qwr+FdUo+3uuobzeXEF7qpILuLUiOBqiIiGiXiIi6ioIP7cTq2b6s8uUpWGGv+dN:q1+3ubbzapdMvw0GcZ

    Score
    1/10
    behavioral7behavioral8

    • Target

      !Card Checker by Mirai/IpMatcher.dll

    • Size

      12KB

    • MD5

      66b5ee1af1d75592612e24bb1bf10072

    • SHA1

      6a104e3338f1534a1233872574bf4e00535154d1

    • SHA256

      318d50f35b83ec3a2f0fc339d4155c47d2d9ddf3444047934bbcdccef8167e39

    • SHA512

      213af0bedef1c1e66169cce7509298b872f09e56972781ab3db6d2884c63200ea35d6e815b28d8fa97d92a385df3a9af80bc5b0c03d416e0551a327a199fb403

    • SSDEEP

      192:2gZAuCfvti3mt3LjCm31CLiQST1YuDIl4TWQelDoFujH8Z:lvCfvti3mxLjCm31CLiQST1YuDIVTlDQ

    Score
    1/10
    behavioral10behavioral9

    • Target

      !Card Checker by Mirai/MailBee.NET.dll

    • Size

      1.7MB

    • MD5

      0b309ea2d92164c41937efc3c4a75cb3

    • SHA1

      9ed899ea9f15c69d21b81f57d74d9d07c4d8cd0f

    • SHA256

      7428e138a0b2a9e87f8c47076074d29e8d9ba18e07784db6d568ec15cde88bbe

    • SHA512

      4695fc4e240e1a3ec8ec14f984c3c0191e4c265ea9b7bb44529bf54fd4365d2d09cf5110138c66896ab71512c7b7a36da0eb63202047e705375a4ea1467eb6ae

    • SSDEEP

      24576:dDMgcE4ilhMM9XBav0OvQRka9P7mijqMaP7P:dDMgcWfMM9XBQ0Ov0mi217

    Score
    1/10
    behavioral11behavioral12

    • Target

      !Card Checker by Mirai/Microsoft.Bcl.AsyncInterfaces.dll

    • Size

      16KB

    • MD5

      1e79035fda3aa29bf70f9df1023ce3ca

    • SHA1

      847ab97b81dd1c83ae196307b52d8ae983ec5b8f

    • SHA256

      fc3827cfb6834f0ffa6cb76278f309a3b598ae01c751f13fbeb57886e4168943

    • SHA512

      338550a154ce6f876e101c5d66cd78a04126ab9236c3fd1ebc124ee9db1b72f8a16f1ed6f857fb773581326ac5fc808939b7d3c9fd529123137b48ef4bf9b768

    • SSDEEP

      384:DOJWqnwnBbNA1kq40VES2j0cX6dAl+NW2VzrdcmDqxRWeq/Ws:DulwnBhYlTVv2wK5idcgF

    Score
    1/10
    behavioral13behavioral14

    • Target

      !Card Checker by Mirai/Newtonsoft.Json.dll

    • Size

      679KB

    • MD5

      69c1a967b27ef8657e8c6665de47527b

    • SHA1

      34bb58f3d27335bd055d297bc52ce2146698d711

    • SHA256

      3be4fda7b6bd04e9aeaabf973ccc952afb5c0a6aa0fa672831ca82df218df84a

    • SHA512

      1ee211079618d3b019e0b89d984fc8fef5ad359c312104eee46ce5ddac74271f70fe0d61967e7fc325d7e0181760ca265dc547300237c32f2e35ecc14d3b7f58

    • SSDEEP

      12288:CLnRIXzZu/3yNFCU8xF6xc8yNRaVjI3QMDajj1HiiiR8MJhBB0ihT1fWNUwHOvWG:inR0Q/3yN4U0Wt6MBCjCu

    Score
    1/10
    behavioral15behavioral16

    • Target

      !Card Checker by Mirai/PresentationFramework-SystemData.dll

    • Size

      8KB

    • MD5

      dca6f1b8644df5d0890a7dbc6411e86c

    • SHA1

      27066bf658df2d398aad6003ae8496dcf015a4d5

    • SHA256

      48883bd04158c2456ea1be831b559b594fb86199c0d9618e7c3fde45a986ab26

    • SHA512

      046020ad671d37935eb674988186eb6a8a28b093887f572a4604781be3f8fc6d9df96a00580f352789bdb7ea0f8ebaf6ee3cf13c6be5118bd1df290a3487742a

    • SSDEEP

      192:cmBvnnwQh8N/UH6AKwBz1o5fDzupoiuhuWHsWYSW:cmVnn98N/Y6m3o5PPiu0WHsWYSW

    Score
    3/10
    discovery
    behavioral17behavioral18

    • Target

      !Card Checker by Mirai/core32.dll

    • Size

      238KB

    • MD5

      4e6a7ee0e286ab61d36c26bd38996821

    • SHA1

      820674b4c75290f8f667764bfb474ca8c1242732

    • SHA256

      f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3

    • SHA512

      f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

    • SSDEEP

      3072:6sGTNBBPt3lBtx5ebLDCc0p00JakwEn0ZtAq0nHHdNwooe+6t3ieCx9UWPrcFw+z:ID5t3lBrGdkwFi3HHdN1Zt9CxVgeH

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      !Card Checker by Mirai/drivefsext.cfg

    • Size

      211KB

    • MD5

      59238144771807b1cbc407b250d6b2c3

    • SHA1

      6c9f87cca7e857e888cb19ea45cf82d2e2d29695

    • SHA256

      8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b

    • SHA512

      cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

    • SSDEEP

      3072:CFITGLr+kmeUE2+YA8zuxD1gb/uVVohUFVEovODl9ply5nk/7K1bjT5h3qs:CbLUEkAtvaumhUXvwl9P62

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      !Card Checker by Mirai/lib.bin

    • Size

      2.6MB

    • MD5

      0bd541037d1794d63bb58654f1e897c5

    • SHA1

      a901fc2bc1fcc672b6dfee0d3e93b4ca8f11c710

    • SHA256

      2e8931e43c5674bc641651868ef311e2d3407e0132325c0795bdf4f5404fb30f

    • SHA512

      85412b5357e65ceebdd1f460e4764e3b5b11c242250500f9f55fdbaa0d2c6aa15cf0f68f7e1d88369a013a2d16c95e235db68dd48590e306de59cf01fb7128c9

    • SSDEEP

      24576:rVsQ6BKfC+CWDU2fy6Uuri8MmOmbCYUz7PH8Zeaj0HM3ow5Xt:rVeBB2kMOnYUvPb

    Score
    6/10
    discovery

    • Legitimate hosting services abused for malware hosting/C2

    behavioral23behavioral24

    • Target

      !Card Checker by Mirai/x64/GoSrp.dll

    • Size

      2.6MB

    • MD5

      8f5f6ee061242d609bd05b48479d887a

    • SHA1

      0005089c13ba90f2d150a6e117bf463a6e28af54

    • SHA256

      6b7778f1c17b1a2d48970bdec81f1f1436066c662222ffa8200dee7c3fe610c2

    • SHA512

      f4eda39b2bf9fe358cabb31e5f839e12704598505c16d6dd26550a5d1fa05775d34bc0ce6f631f4e3db95072630b60968cbe59d146055f87d197c9153dcdb1aa

    • SSDEEP

      49152:IW/gxY8qgo2P+vrBQiDSLDBK31Al++gMrL+:cxYJgo2o5k/gEL+

    Score
    1/10
    behavioral25behavioral26

    • Target

      !Card Checker by Mirai/x64/SQLite.Interop.dll

    • Size

      1.7MB

    • MD5

      1288823e8e1fca09bb490ce46988188d

    • SHA1

      b07fe4a5d032296e3a7d0727216af8c1d2166e91

    • SHA256

      6514973856d1767ccb375dcb253400e710fb4f91feb758041d8defe92b1886c5

    • SHA512

      88967f64116951092a54118055eab462082f16676ea7565f42515e88765813b53cdfbba5181318e73b668e04ddd030a0bfcf5cf47936772f68df85488b865acd

    • SSDEEP

      24576:xcpbyKNk5l/+ddQOJ3e4vYb0XrdhCplVv1GXOO4PmhFGYHnRELAqqU:SpbB0l/+d1c0RIJvGZ2anYqU

    Score
    1/10
    behavioral27behavioral28

    • Target

      !Card Checker by Mirai/x86/GoSrp.dll

    • Size

      2.3MB

    • MD5

      b1e99d702b0324e19b8cdc5aa8c9cd2e

    • SHA1

      1473b708f7c516dc31612c74cb773396f3f7ca93

    • SHA256

      e2a69763eb347b86c5426a5028650388be585df43cbf03beb576acd095038296

    • SHA512

      3afec80909a88ffa8a760c6b156e998504f148455bf514512bc8812e390c59835e9a8cce57b041154c894915e47c40750eab66d84c4d7eb1f0257cf177481442

    • SSDEEP

      24576:Z3rEK7jLQfvtqvZ8UaqvFbK8qUhk8GJXiV6doA+4MHPEBm3KXUQwFAR8YtVrm7C8:ZQdkK8qU6BWStV+Cz8MVZ69rF1Mr3iHr

    Score
    3/10
    discovery
    behavioral29behavioral30

    • Target

      !Card Checker by Mirai/x86/SQLite.Interop.dll

    • Size

      1.3MB

    • MD5

      9b68a8d0393fbce1976c19107422f097

    • SHA1

      b645fc9aff04f1de9d31d4c4b965ae0a1e3549d0

    • SHA256

      f16dea838efc5b074f8d8b2f8e14ab77ec744648b1d5dd550456c2f99c12bbdc

    • SHA512

      7989b760012fcab665591c2528d8ecaead09cd9cd74a7208ef6177b36581d381574d007a31bb4c55da7bc793000bf71be546b1caec59c380ab8962ea2b719933

    • SSDEEP

      24576:Od/jGQ1cL7Y5POF9y4Fsiem2gUJ4TmrQD06dr13TkhGb2/FJC//3bpdR:OjGQ1QKy6rQDFdrRIJ6//3bpdR

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Account Manipulation

1
T1098

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Process Discovery

1
T1057

Query Registry

2
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Network Connections Discovery

1
T1049

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discoverypyinstallerupx
Score
7/10

behavioral2

exelastealercollectioncredential_accessdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerspywarestealerupx
Score
10/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

Score
1/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discovery
Score
3/10

behavioral18

discovery
Score
3/10

behavioral19

Score
1/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
6/10

behavioral24

discovery
Score
6/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10