General
-
Target
VegaX.exe
-
Size
71.1MB
-
Sample
240919-hrycfawdmb
-
MD5
7213502f2a406a9536d2ef15abebf557
-
SHA1
72fe54d77bb5eb65f3b0550b1649e92a7f7194d9
-
SHA256
308c12b8866e46851ff66294c45e2c2a7641ae42806506df27d339b823790e86
-
SHA512
a36aaca2c32ec7b8f82e22b6ee68dd6f23762b8cc3b932c4eb4e7f300be35e569f26feb081697d374fd5387d18d144e85f6d9e3bd2481f775f17c4dc8cc69600
-
SSDEEP
1572864:k4/4rzOchPcRuakQ0JdDDENefeXjFomgXyNkKnSTxT3d3930Gj7:vkqcdcR1kLgOAKmCGkySTVJ9kGj7
Malware Config
Targets
-
-
Target
VegaX.exe
-
Size
71.1MB
-
MD5
7213502f2a406a9536d2ef15abebf557
-
SHA1
72fe54d77bb5eb65f3b0550b1649e92a7f7194d9
-
SHA256
308c12b8866e46851ff66294c45e2c2a7641ae42806506df27d339b823790e86
-
SHA512
a36aaca2c32ec7b8f82e22b6ee68dd6f23762b8cc3b932c4eb4e7f300be35e569f26feb081697d374fd5387d18d144e85f6d9e3bd2481f775f17c4dc8cc69600
-
SSDEEP
1572864:k4/4rzOchPcRuakQ0JdDDENefeXjFomgXyNkKnSTxT3d3930Gj7:vkqcdcR1kLgOAKmCGkySTVJ9kGj7
Score9/10-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
-
-
Target
$PLUGINSDIR/StdUtils.dll
-
Size
100KB
-
MD5
c6a6e03f77c313b267498515488c5740
-
SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15
-
SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
-
SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
SSDEEP
3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
Score3/10 -
-
-
Target
$PLUGINSDIR/System.dll
-
Size
12KB
-
MD5
0d7ad4f45dc6f5aa87f606d0331c6901
-
SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457
-
SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
-
SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
SSDEEP
192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
Score3/10 -
-
-
Target
LICENSES.chromium.html
-
Size
5.2MB
-
MD5
df37c89638c65db9a4518b88e79350be
-
SHA1
6b9ba9fba54fb3aa1b938de218f549078924ac50
-
SHA256
dbd18fe7c6e72eeb81680fabef9b6c0262d1d2d1aa679b3b221d9d9ced509463
-
SHA512
93dd6df08fc0bfaf3e6a690943c090aefe66c5e9995392bebd510c5b6260533b1522dc529b8328dfe862192e1357e9e98d1cdd95117c08c76be3ab565c6eea67
-
SSDEEP
12288:/7etnqnVnMnBnunQ9RBvjYJEi400/Q599b769B9UOE6MwMGucMEbHDuX0YnpWQZb:sPM95FCWStQj6ERs/mfMl6H0skDpS
Score3/10 -
-
-
Target
System.exe
-
Size
139.6MB
-
MD5
a1bd7f9fcdb0b75d30fa9f0caac5d2a7
-
SHA1
5602eb1782cb0de1aba91d3c06589be195c5dee8
-
SHA256
7c878c82ccd577f3dad67fb1fe5e0b681f27ba9a741c79bfd9bbfa032dccde65
-
SHA512
1befc5c99e4832dd5d53759c4ff6e24d9a6059e494573f84d3395c1473690d29ec1534f9fcce20ab54f811a69d4c443f862dc7ddb908c99037637105b58bf85e
-
SSDEEP
786432:d14w5ThzHwQBgmoLWv+K18nCzKdo5DTdvfMQr6SSmPuvh8tSIW68:d14kpHwQjCWv+K18CedmVvEQEpcJW
Score9/10-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist
-
-
-
Target
d3dcompiler_47.dll
-
Size
4.3MB
-
MD5
7641e39b7da4077084d2afe7c31032e0
-
SHA1
2256644f69435ff2fee76deb04d918083960d1eb
-
SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
-
SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5
-
SSDEEP
49152:aYlc/220PPiMLKam+VMrLi21f4i3jn5ZO3XUDmOZQwVd2uQpN3WsGVUWd55i/jrs:a6KD2Mrdaix4NQnLt
Score1/10 -
-
-
Target
ffmpeg.dll
-
Size
2.6MB
-
MD5
c3842fb3087cdcdb04020ac38683c289
-
SHA1
329dbcd4a1c79b891b200f11eb50194b85c493bc
-
SHA256
e79792af338d61424bac87a19c6f34f3b4bc1382345633b8d509253a0a6c2133
-
SHA512
069196b8006e908954e7ab16131a0d10889a0f7517eaab2423a82fe49fb9b045c0d95dbf7c08c10ddf1a21983aea4a0d207decf91baacff0884511589a57dec5
-
SSDEEP
49152:JcMr6+FXptsXTmgP7he370olRK+KCKyRb+kyqVZWxX0b4unfruHw:RKer0olGyByEf8
Score1/10 -
-
-
Target
libEGL.dll
-
Size
437KB
-
MD5
8352fd22f09b873193cabc2932be92f0
-
SHA1
5bd2b58854b279f1733c5f54ea2669ee8a888d9e
-
SHA256
14a4aaa010be14762edfee01fd1f6b9943471eb7a2f9011a2b5c230461cd129c
-
SHA512
7281e980f2e82f1cc8173d9f8387a97f6e23ec5099ed8dca02222c4e17fa4cfef59d6aa300b1cf06d502bdcf77d9a6dbb08ad6658ae0a28ae6f9f995109da0d2
-
SSDEEP
6144:odpiWYLBViWOSdAr1Knk2mI3LpxE0RYqowpW6VmHrtff1FI:ipvYLbiWBqrQnPxE0cKmHZ3P
Score1/10 -
-
-
Target
libGLESv2.dll
-
Size
6.7MB
-
MD5
b6a433dc7b4030fb17bd1683a9606b6e
-
SHA1
0602c50532e3f13facc67bd95a048c470e88afcc
-
SHA256
f7ae57a1d7d3e284714ca354f5292aa9b75086489cbfba8b1f54548445b6b3e9
-
SHA512
b9ba2e20ec878e3acae93d8254e69374e391fd4a3d5c1833282c43896d123baa874f1088839f3bbcf05539eda0e2aeaef28d7742ab8e20ec788382501e2152b1
-
SSDEEP
49152:aYKj6OhH5vSqGZ/UUopyV+gsIm3H9VnT+EisbCQ12+Q6nUBnKJ/lwE2f9rgqFnka:CvSqGZaVoH9xz+TPYrijOxm
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/take-cam/DirectShowLib-2005.dll
-
Size
296KB
-
MD5
c20c205c6f8d70a5e1351a4041a3ec9f
-
SHA1
e1b2a763dd6c42439656e4e55aba0f3610ff3784
-
SHA256
bbcbb170242d9ff1b56680a80b1f8755df1135f9c714535ff3b3f575442f38dc
-
SHA512
dffd59d775dbb89cd886a2212fb9fe4cf0b2bdd7f2c00f8dc7c6b2287053b4971c8c6c033109ff1f90cdacea082e44d3c19fa76325d24976420c418218e701f1
-
SSDEEP
6144:XB+kb3Pf7fPZ2DS7vU1e1YcW3f+UM2XET3YB7npB39AFa:X1b3Pf7xq627JEa
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/take-cam/prey-webcam.exe
-
Size
24KB
-
MD5
471b15abc9f2e98fb7ed7361d3f045eb
-
SHA1
95b5798d80a9410872f6ed485ae2b43ca3745540
-
SHA256
7c262639cb22348dfd627dc07c76e8748e5bcacde2dcf1614773ab174c831004
-
SHA512
5b3b59aa1dbaef31b0ff6ccde082d7c312e39e311a46fe20d590d5d7765f934d3b663da9609ff4fb7beba2e8fa85376cf74f14ae077f3c0b49189cc28c30163a
-
SSDEEP
384:tKwddpmWq759qMMu89Y3sX9DpX0wwVJBsqIYiF9nN3ZqrhmFqn:hTpY7ztOL9DEJBsXYi6hb
Score1/10 -
-
-
Target
resources/app.asar.unpacked/node_modules/take-cam/snapshot.exe
-
Size
161KB
-
MD5
16a12bdc986207390dd79d658a6b2263
-
SHA1
b4b41f62cbc1e1ede786c6e30e11df8e61750bad
-
SHA256
50a8dd2f292bea9190204a42de067a34d5cbbec53746d40fe5b067fc85190bac
-
SHA512
d20394028c5d3ca46bb4879cac40da07b7d857f9a4a834bb4db4bd047f1a3265a80e1f7528244da6ee97c2f3e0cb5b2e51bc88eeb382a027939c2188e66dcdd9
-
SSDEEP
3072:Qus/jqDobf5DrX7oLqLsKS0lG8jah8+N9vxmgD0V558JYizJT0:svX7Sl8lGNfvkA0VwS
Score3/10 -
-
-
Target
resources/elevate.exe
-
Size
105KB
-
MD5
792b92c8ad13c46f27c7ced0810694df
-
SHA1
d8d449b92de20a57df722df46435ba4553ecc802
-
SHA256
9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37
-
SHA512
6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40
-
SSDEEP
3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l
Score3/10 -
-
-
Target
swiftshader/libEGL.dll
-
Size
450KB
-
MD5
19dc9ee70e7765bb63a66b6826e8ecb7
-
SHA1
1a12f983f8b35cc2955d30657971f113c47dc164
-
SHA256
83d5719abee35e051d984510e1d5d9317a109031698814742b59bdbbe7d4e30f
-
SHA512
1fda2bcc4b2e70987ca6011ab2534007ae4f752016d29a588aaae839bb25c35e03773f220b6a8e926cf2643997e7d4c0f28743304269b2c55642ce12934def68
-
SSDEEP
6144:gFzcMPKWOp0q29LDwK3p3KHvDstVpphcSGbwSi6DH0hl:g2WOOqiLDrthhcSGnc
Score1/10 -
-
-
Target
swiftshader/libGLESv2.dll
-
Size
3.0MB
-
MD5
c0b36d56d83e601bf246f7709a8c5f9d
-
SHA1
b025a6070f7d61c7d1827856d2d4043834fd23f2
-
SHA256
45bb5e1f8dd87129ac0a75c78f8f29d06e3ac182a00fc5199b692068f1e05a53
-
SHA512
e429ae63bd8a7d5a936a638783511693e8fbbc91d97779b3d4dd3f0880f1c8a820106bfb57cf7ee6b3639f19165de87bbe127aadd81218689fc6c8fada2106d1
-
SSDEEP
49152:D0mOy4fytPTlZQPF/IBCfG/owBx8iqQyehF3Hn0gPD2vzFW/GyCbZpjGKiqZ/nYI:DgfyjyeelZ/YNg/Yr
Score1/10 -
-
-
Target
vk_swiftshader.dll
-
Size
4.4MB
-
MD5
de2d91476e625278c30a5f69a1892e05
-
SHA1
4d707f6a801611fb437f5c1cba31b0909bf41506
-
SHA256
02c7f0b926c64f5a19a9aacd5f94ee00be4d576486592e18acc80c0a027b05ba
-
SHA512
d027407539346e5aedd527f5f71de45bace6295e96a7fbefbf273c930d64a791e488e4bdf6ef8db61fc19c80cac52a6e398c2973499c6fedb1e422c3ba71f532
-
SSDEEP
49152:px2VjoakX4pb7QH1fUlTB7zmNmdpTE5NSomaZXYjLlHks2RPF/lOzl+LZ/n6du7F:K2DtJ+wixdag
Score1/10 -
-
-
Target
vulkan-1.dll
-
Size
819KB
-
MD5
b91586bd80e057a7f62bdc4422744812
-
SHA1
a1df644421ece2e740e5bf0ed98b4f269fd85c39
-
SHA256
8ba72d98e0f78b77bda7816cd7232809d287310d34e0f1d7472b9d5fda2c6d02
-
SHA512
94f0a8e3e75e4803891c0fcb257052dbe0e7399772fc7a46ab802629f76ee580ed30b3678fa6bc3744c12cf9f3103bbc8276e88f6711278748148e9fbeef2053
-
SSDEEP
12288:ekyJJLfcn5To6PuXtLvEdGnZSss43uobIoD:JnhoR5Ed8S2ukD
Score1/10 -
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1