Overview

overview

10

Static

static

3

advanced_s...ix.exe

windows7-x64

10

advanced_s...ix.exe

windows10-1703-x64

7

advanced_s...ix.exe

windows10-2004-x64

7

Resubmissions

08/09/2024, 12:45

240908-py3daswhkn 7

08/09/2024, 12:32

240908-pq3n4aycqf 7

08/09/2024, 12:16

240908-pfhwyaxgme 10

08/09/2024, 12:00

240908-n6lj3sxcmf 7

08/09/2024, 11:38

240908-nr29aawekf 10

Sharing

Copy URL Twitter E-mail

General

  • Target

    advanced_systemcare_pro_v17.6.0.322___fix.zip

  • Size

    21.7MB

  • Sample

    240908-pfhwyaxgme

  • MD5

    2e6504d4eef2e03f5c1151d713ad4fc5

  • SHA1

    c49b72aa6c3f23034f516857390d899a25e8f4f8

  • SHA256

    beda3334ba514f8b961f01e1b5e1ce651304658046267f502c520b5bba387889

  • SHA512

    1f9efc8d0e2ec42a35dec0f6353828dedca3244567a5cd7f0995892dfd5fbd9cc12252c34a6a05fa5bf099594d4dd04f17d418f03f8c6b7f9a0257bc43024974

  • SSDEEP

    393216:VUi1l8b3i+cKNn4PfcZYiHc3sdGGo5woX40LP5CVtT6cfWDjax/Gle26xzDJ:VN8b1S3+YGc8dGPXl5CX6caq/GwJ1DJ

Score
10/10
cryptbotstealcxmrigravecredential_accessdiscoveryevasionexecutionminerpersistencespywarestealer

Malware Config

Extracted

Family

stealc

Botnet

rave

C2

http://185.215.113.103

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

cryptbot

C2

tventyv20sb.top

analforeverlovyu.top
Attributes
  • url_path

    /v1/upload.php

Targets

    • Target

      advanced_systemcare_pro_v17.6.0.322___fix.exe

    • Size

      923.3MB

    • MD5

      56350b49279ccf7a67d8149a9c25ab4b

    • SHA1

      77a78bbf68ab7564b5f0aecafb84173363f3f22e

    • SHA256

      18bcbd5161a3311538446b0497ccfa40fde691e1afdbdbb083a156288ea5f666

    • SHA512

      775425c7607e9aa99b5c1ab0a914b602c0d038639b484c1eb263fb5da07ab7103a867370782d6200c10a8f1f5fca145eb518851f081eb2b6e8664d9a76d06b92

    • SSDEEP

      786432:aK8eGdUugDCFZUiX8Uk3Ll7pkyAdXroyghObNrG:aKydJgGFaiX8UyLZpkyAdXrpLbE

    Score
    10/10
    cryptbotstealcxmrigravecredential_accessdiscoveryevasionexecutionminerpersistencespywarestealer

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • XMRig Miner payload

      miner

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Process Discovery

1
T1057

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks