Overview

overview

10

Static

static

10

Tronics Cl...s.json

windows7-x64

3

Tronics Cl...s.json

windows10-2004-x64

3

Tronics Cleaner.exe

windows7-x64

1

Tronics Cleaner.exe

windows10-2004-x64

1

Tronics Cleaner.exe

windows7-x64

3

Tronics Cleaner.exe

windows10-2004-x64

7

Tronics Cleaner.pdb

windows7-x64

3

Tronics Cleaner.pdb

windows10-2004-x64

3

Tronics Cl...g.json

windows7-x64

3

Tronics Cl...g.json

windows10-2004-x64

3

respoof/hw...of.exe

windows7-x64

7

respoof/hw...of.exe

windows10-2004-x64

7

main.pyc

windows7-x64

3

main.pyc

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    FiveM-Cleaner_Leaked_BY_LaivynoLeaks.rar

  • Size

    17.8MB

  • Sample

    241006-msy3kstgra

  • MD5

    6621a5c807b7745c77243e69ecfd287b

  • SHA1

    534fc0bfc69ef9b00e01c75dfa28322500e5b1f0

  • SHA256

    a8f75d7ffd1e4b90d275bf9cc760164cc1ddc3cc1f5d3ea5c4a70dc89582e627

  • SHA512

    25edfb778503754242ade87ce6f207221e0afe41d343400315ef2fe6e1631c8076219f87ded52b5151b53e5c29d78eb4ccb36086eb0fd9e07dc268e290c0e4a8

  • SSDEEP

    393216:zvumNedc9Ggk4y3CH2c6JwC7ho2Ha+NVmKRvMXu6OngFe4Qdxb:zXgKGH4n56JwOhoka+DmKRvgu6Q4QXb

Score
10/10
empyreandiscoverypersistenceprivilege_escalationpyinstallerspywarestealerupx

Malware Config

Targets

    • Target

      Tronics Cleaner.deps.json

    • Size

      437B

    • MD5

      a9044b5b77e53f7362e755661ccd7f06

    • SHA1

      ece12145632db1635a6c5b7fc7f7b8c5c474ef63

    • SHA256

      212340ba8d17e90fb8382770b6f812967cae6e8b4623f593c8dd7f323ad0f044

    • SHA512

      24c9211738465a264a7cb601fcd908730c866a424a466552bacb90992573afe8ab309cde77080f547efcf52aa698b25078f703a84eeec709230c5db8ba427c22

    Score
    3/10
    behavioral1behavioral2

    • Target

      Tronics Cleaner.dll

    • Size

      217KB

    • MD5

      49a89db96d2956572286b9d64acf00df

    • SHA1

      a3dcca3b3748d393b1bfbd3226b0fb857006a2f5

    • SHA256

      2e57c6d432940094bb59e8d08b911fd3004eb4a710545dad06a1e405ae672c6c

    • SHA512

      4fd2942db218d8473c2b5ee5c17333e6176c121f4477719174ee24912b483c67baf5ba75ba0904e5ecfb461ec5f14d2644b30304ac791507420b8d40fd104ebe

    • SSDEEP

      6144:DWwF4JOnLdcUtItF3DEz/Z/txhAVmjI+6WV3T:DcJOxcp3G/tEeSWV3

    Score
    1/10
    behavioral3behavioral4

    • Target

      Tronics Cleaner.exe

    • Size

      224KB

    • MD5

      4b26d2f329c4b687747139c7d00d7033

    • SHA1

      d6ea972378e2f26c299f11290ae531f7e8583485

    • SHA256

      95c8ae8247eb49eec27695d5090fff6f1fb74ff76d4e0b306200055d469019c4

    • SHA512

      b55e8394eef8cf7010c74d36d27eef3d80c25ab91353be1419aa026a2a4e05e87e35c79b283e01a5653f29344fd4e4644155cdf45955a57f1ec66b2eaf556a36

    • SSDEEP

      6144:1o9IKDCCGR0QFcd/sZtxhAVmjI+6WV3T:18IrCGR0rOtEeSWV3

    Score
    7/10
    discoverypersistenceprivilege_escalationupx

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      Tronics Cleaner.pdb

    • Size

      14KB

    • MD5

      a74e1815eafed45f994e6cdb0f76f766

    • SHA1

      8cad8cef2ebc4cdf06c25a8ebd8718ca3089de65

    • SHA256

      ba241bc59f29f8267313d68380bc88b55dd3591739ddd3c016807ccec6d9918c

    • SHA512

      50271f258fe59ca25c397e4d2e651af70b94e9d832b2a38cdb41ba4fb780bf272dcbe45ce742f8ea58325099feca2884a1ac6d96d01b7abe0552de086d2fa7c3

    • SSDEEP

      384:3YfQstF3rwe3Nea8bSdw74Ly7u6CmW70hoFXC1hGfHRBHNfY1hm8MUCzNhcx6a8G:3YfF1HPynC3FIACCmNd

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      Tronics Cleaner.runtimeconfig.json

    • Size

      372B

    • MD5

      cc164c1b948924c198019ea9b728e06e

    • SHA1

      cc531f61753f5aa889a0d23526de40c9ea6c9717

    • SHA256

      0d2a78306989c968cd73f4a6b462eef0371639cbb8790248028e12cba035445a

    • SHA512

      402d464ff16a9c7d7d5b85063fce4027b6eab6bae2bff73b8bb35252acefe645c0c05c030cf2d1a6f38e8e1422829734d7985ea3609fe550e95c28285847dc70

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      respoof/hwidrespoof.exe

    • Size

      17.7MB

    • MD5

      5ea44377ad7ec6f5d842d9f344baa548

    • SHA1

      71b33afbdf317d7ee9f766c596c44ce0021e4adf

    • SHA256

      ebb18836b89050e52eae73912ef7cc5c20d1442274e319d9b2b7f5505a64f5ed

    • SHA512

      29763dafdc938cdf456b29894e5ddd40460d84bfd3fc9de1983fcf7b8ad083737dfdc27b58d8309816f3ee6abb0fbf96029965133ef0ea814166a3796860326c

    • SSDEEP

      393216:NqPnLFXlreQpDOETgsvfGaTgwakvEEGGSPLZq:UPLFXNeQoEHBadUSTM

    Score
    7/10
    upxdiscoverypersistenceprivilege_escalationspywarestealer

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      main.pyc

    • Size

      7KB

    • MD5

      70d3e130648b4a4708dfc3825c70ca6f

    • SHA1

      65f8d18724aff0d8cfe2a47bd77c12b4774f2765

    • SHA256

      b8d28647d153a9bd3eef41c811c702ab2d185afc9453548d542c409999c93aa9

    • SHA512

      5e3e9bda14e1c95ad07e2067c19bfe1c386e4bdb7116bcb09345e1325e0c4f4f1123d7c30fa073fbc23f0cbd302c9ca90a3024f71bcbbf001867bc545c7f3933

    • SSDEEP

      192:weHvbXZtD8Zw0ZWdXwKckM+TyJhwLK6fMdwhnw:xPbXZmw8WuDkO2W2Phw

    Score
    3/10
    discovery
    behavioral13behavioral14

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

System Time Discovery

1
T1124

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks