Overview

overview

10

Static

static

10

forrtnitecheat.exe

windows7-x64

7

forrtnitecheat.exe

windows10-2004-x64

9

main.pyc

windows7-x64

3

main.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    forrtnitecheat.exe

  • Size

    17.8MB

  • Sample

    240913-tdgcjswgre

  • MD5

    4f08a5b215ec38c21923874c18ca50ef

  • SHA1

    33d05d1819f65f5e920e2bc3024e4fef51f25a88

  • SHA256

    955f8880178877e4fd5c6495c74bfb5132e522541efad5420b495733c893d24d

  • SHA512

    dfc2e85e63dd1b149daea9972b9f691a9ad0a89c2172e8e8dbc2a0e0265d31e04753f8a5cf4c66ef947dc31a522f897432e03b7e14da85ae98e6e74bfb4e20ce

  • SSDEEP

    393216:HqPnLFXlreQ+DOETgsvfG7hgOaNpvE/HhpbV4Yaq:KPLFXNeQ/EwvaNe/Pb5

Score
10/10
empyreancredential_accessdiscoverypersistencepyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      forrtnitecheat.exe

    • Size

      17.8MB

    • MD5

      4f08a5b215ec38c21923874c18ca50ef

    • SHA1

      33d05d1819f65f5e920e2bc3024e4fef51f25a88

    • SHA256

      955f8880178877e4fd5c6495c74bfb5132e522541efad5420b495733c893d24d

    • SHA512

      dfc2e85e63dd1b149daea9972b9f691a9ad0a89c2172e8e8dbc2a0e0265d31e04753f8a5cf4c66ef947dc31a522f897432e03b7e14da85ae98e6e74bfb4e20ce

    • SSDEEP

      393216:HqPnLFXlreQ+DOETgsvfG7hgOaNpvE/HhpbV4Yaq:KPLFXNeQ/EwvaNe/Pb5

    Score
    9/10
    upxcredential_accessdiscoverypersistencespywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      main.pyc

    • Size

      7KB

    • MD5

      691d3d1c1fbfd1ca9daeb26e663eab45

    • SHA1

      e6ad9efd4b0fb2333f696b9454e18eae7190ed8e

    • SHA256

      a4314d60bd533ab0c8ff294687a1c845fb454d3a65e8956fd26b2ff88ee287b7

    • SHA512

      ea0711819572f9707b9f8f29195103b0860db9f1bc7d856b755360a301b6aefbb6813e5cd8005d00a763b4b956b1b07d76e00cc56812ba334b61ce62613d0081

    • SSDEEP

      192:wMibj7kFBD8L2eWdXwYmCqLJhw/Kf8i7Mdwtbnw:Aj7kFCpWuH2/Kfd7PJw

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks