growtopia | a7cac9691778468185b7d6ec1735f4a1f07de8eccb946e8d4d2224d8a6bab4d5

Sharing

Copy URL

Twitter E-mail

General

Target

Ozz Stealer.zip
Size

2.3MB
Sample

240917-rs1nmayamj
MD5

e8f8fe3eca656cdb02dccb6f8fbbf48d
SHA1

54e5d2d06fc6e2a4a31911de563faf091c68f81c
SHA256

a7cac9691778468185b7d6ec1735f4a1f07de8eccb946e8d4d2224d8a6bab4d5
SHA512

2409d7ad230135ac8bf3f4cda24da75f6a86f9966f0c5767b1e4149e6f295c7d3b4480254d050dc26b97e381cab088b426a7d53ba6673b3277a2cfd36c4f2ed9
SSDEEP

24576:WKgt9v8Rt2G+SuZ/Ym1Gj2uhl9jzcY0XW9x7Ow0TjFXNR0+A80vIqrdhe6cAkc/o:Hgrm/uVdo9jzv71OZtNWRQCAIki0mnDy

Score

10^/10

Malware Config

Targets

- Target
  
  Ozz Stealer/Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  b429ae86c5be521bc8ca3b164cec3acb
- SHA1
  
  387560073ff5a1f2191abc6f75fc34532bbb6dd2
- SHA256
  
  3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579
- SHA512
  
  eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1
- SSDEEP
  
  24576:DgWuftU4WrNOA6sM6kXxMfNmnjk/c5NrH0UUoo2QkJXVSItH5ppoO0KzJ6nFwHQL:DA+NOpXm1mnj0cP+DkhMAiawnFV
Score

1^/10
behavioral1 behavioral2
- Target
  
  Ozz Stealer/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  adf3e3eecde20b7c9661e9c47106a14a
- SHA1
  
  f3130f7fd4b414b5aec04eb87ed800eb84dd2154
- SHA256
  
  22c649f75fce5be7c7ccda8880473b634ef69ecf33f5d1ab8ad892caf47d5a07
- SHA512
  
  6a644bfd4544950ed2d39190393b716c8314f551488380ec8bd35b5062aa143342dfd145e92e3b6b81e80285cac108d201b6bbd160cb768dc002c49f4c603c0b
- SSDEEP
  
  12288:mFIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMW:6zMTMNNd+g5Wk78GBBjgrIQtDF
Score

1^/10
behavioral3 behavioral4
- Target
  
  Ozz Stealer/Ozz_Stealer.dll
- Size
  
  1.2MB
- MD5
  
  88d3f81e9c17733351e0aab6ac8e9049
- SHA1
  
  1827234973a3c48bbb5dc5673aedf5df2baef578
- SHA256
  
  aaaa33bd2e23527ba44f099b31cf4a27bb4617f5a07f871d658bcbf35e43acf0
- SHA512
  
  7c8f2ec495a5c6016bf035e0d3c02b4d26afd76412421921a1c1ff9e0077d88d27d13dbd4bf54cf47523ba3cd2e548d46e6c771584c313fa82afaa301a327f6a
- SSDEEP
  
  24576:oOFEqOFEqOFEjg3o9R3kztDewxTNE2HZYdT2RbJS:Byy4n9RaDdxJDZYdyRbJS
Score

1^/10
behavioral5 behavioral6
- Target
  
  Ozz Stealer/Ozz_Stealer.exe
- Size
  
  160KB
- MD5
  
  aa65c1f4a77cea6d9e13f47656d3bf18
- SHA1
  
  2c02fb3f735c192c792fd89dc90bdb9ace35214c
- SHA256
  
  a6716765985978a0358a1bcb931236eb23ccb3427c8ba336aa5457a90f3492da
- SHA512
  
  0938deaba77720b85a8acbde72d7d4e832aafd3391db0effbb458c52a501e123f47ae31b1ffcf7b5532506704876d6338844c66130966acb47c0924e77793f9e
- SSDEEP
  
  3072:qiS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJq8ltgSbuUb:qiS4ompB9S3BZi0a1G78IVhccctG
Score

7^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral7 behavioral8
- Target
  
  Ozz Stealer/System.Management.dll
- Size
  
  72KB
- MD5
  
  1c71e5310151ce1e9a3a92797776bdad
- SHA1
  
  fd452b874fec4a9dae61a3710fb32749dc7d701e
- SHA256
  
  f515ca5c944c332ab706ff0a7c2e53e66d0d9d8a663e9b2691b35129ee22559b
- SHA512
  
  2a4f18c77449c2d06a3ab6807338f73b03b1faa332e78319829ba3a2b6fd98bb9a83c5e29b47d55e4ce7f0dfdcd8524fa592a0f3ca8ee09daae2894b681265a8
- SSDEEP
  
  768:BrEP45HksbMU3se5c/0b/9nLZV1BCUkVoV0lP7H0CkkiSLJKdbY8Mtuo0eDQP9zu:bbz5wulNV1zkSQzHxkxS9yc8no0nzu
Score

1^/10
behavioral10 behavioral9
- Target
  
  Ozz Stealer/install-python.bat
- Size
  
  683B
- MD5
  
  d2582c98db5aad03be0d391a265f861b
- SHA1
  
  bb545f83d8d69c8a1a08cd773ddcb53689e8f57c
- SHA256
  
  44d62021bd4fa1870a45fc9f1b9bb978196987452688060a87ee97e4626fa4af
- SHA512
  
  268a5a71c70081ee8d6aa34d0a9158740712e174a70a0fac2972bd8fa812c34107ba2859d2f31391cc4b27f3f81a986160d9feb14880bdf02fe0c43567b2afbe
Score

8^/10

discovery persistence privilege_escalation
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral11 behavioral12
- Target
  
  Ozz Stealer/install.bat
- Size
  
  38B
- MD5
  
  667537a1c25c3050eba77c74a343329f
- SHA1
  
  794df2143bd7bd07f9ade899d8fb1055b93236ea
- SHA256
  
  60e27d880d37915497117cecaf8919b5330ff908880451e937d4a83a8f563375
- SHA512
  
  19ec6064e8ed3ecf531bb8f051b88314c12e55dafd1380830acdf3496c3f863f8ba4dbb14a898cc4d2523846dfba5b021d4716b55781830be7fcf0bbae3dd011
Score

1^/10
behavioral13 behavioral14
- Target
  
  Ozz Stealer/runtimes/win/lib/net7.0/System.Management.dll
- Size
  
  288KB
- MD5
  
  76e0aaa7182e77403bf6fe2af8d90f28
- SHA1
  
  d013c5d649f9ebce5bee1c8b774f3290b1f1f532
- SHA256
  
  a7e248c3e6f25f4673e2006fa77f4a4322a3c74c2652dcc395178329feb7ff28
- SHA512
  
  8e161a375fe174d9b203c2a098c92aff411d8521eef133d5174ae7409c394157f7a067c2a9dfe3f76cb02acbed52c33a11579b9a1cbee75e4092e6487d1a7bc1
- SSDEEP
  
  6144:TMbKUVLmD7HP9ab+T5sBFzPnQpEZFAc2Q:45VL2Z++tw92Q
Score

1^/10
behavioral15 behavioral16