Analysis Overview
SHA256
9996b7ab1211684a1d7e32ba542db3332a8fdcef65d2c3e2cc03ff05062cfdd4
Threat Level: Known bad
The file R6 Script.rar was found to be: Known bad.
Malicious Activity Summary
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Themida packer
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:02
Reported
2024-10-27 22:05
Platform
win11-20241007-en
Max time kernel
124s
Max time network
98s
Command Line
Signatures
Stealc
Stealc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\r6_script\R6_Script.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\r6_script.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Roaming\\MyHiddenFolder\\VC_redistx64.exe" | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\r6_script\R6_Script.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\r6_script.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\VC_redistx64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\gWsmPty.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\r6_script.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\r6_script\R6_Script.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\r6_script.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\r6_script.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\R6 Script.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\r6_script\R6_Script.exe
"C:\Users\Admin\Desktop\r6_script\R6_Script.exe"
C:\Users\Admin\AppData\Roaming\gWsmPty.exe
"C:\Users\Admin\AppData\Roaming\gWsmPty.exe"
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"
C:\Users\Admin\AppData\Roaming\r6_script.exe
"C:\Users\Admin\AppData\Roaming\r6_script.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | downloadsparrow.com | udp |
| US | 104.21.17.117:443 | downloadsparrow.com | tcp |
| US | 8.8.8.8:53 | 117.17.21.104.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| US | 154.216.18.128:80 | 154.216.18.128 | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
C:\Users\Admin\Desktop\r6_script\R6_Script.exe
| MD5 | 74bed11a4506bff5dd718fb7be1ff8c7 |
| SHA1 | 3802ace51db410caaf742213853ccff4d849502f |
| SHA256 | fb51e94bd096d3dfe3465db05acde944934c0af1b289a7397d18b3fbc3989d97 |
| SHA512 | 9d700ebcc3e2593324d5257dea0be2bd81fed447cf00acda27cf293136534aec36de5a766909c995ecca612ed38a70d2ab8f3c4075608f0dcb8cc2090be5e010 |
memory/872-12-0x0000000074FBE000-0x0000000074FBF000-memory.dmp
memory/872-13-0x00000000009E0000-0x0000000000A08000-memory.dmp
memory/872-14-0x00000000053A0000-0x00000000053A6000-memory.dmp
memory/872-15-0x0000000002DF0000-0x0000000002E0C000-memory.dmp
memory/872-16-0x0000000005500000-0x0000000005506000-memory.dmp
memory/872-17-0x0000000074FB0000-0x0000000075761000-memory.dmp
memory/872-18-0x00000000056F0000-0x00000000056FA000-memory.dmp
memory/872-19-0x0000000006720000-0x0000000006CC6000-memory.dmp
C:\Users\Admin\AppData\Roaming\gWsmPty.exe
| MD5 | 436933e79a874b8e312f683b5558a773 |
| SHA1 | 8d9fdee4b75e2698e5d811eeb4cda0cb6d5dea2c |
| SHA256 | 87b78091905e74ada42bc63e8beebc3259a52d92200d1e710d4459f165c24534 |
| SHA512 | a0271659f200de85fef4d9e299b800de4b20f7b9d207eb7e86aead5c40adc1c86556818031c37822ad4a4073659abb4bb4e9e40907ffc8bf99eb4fc4c0d80882 |
memory/3060-30-0x0000000000400000-0x0000000000D0F000-memory.dmp
memory/3060-29-0x0000000000400000-0x0000000000D0F000-memory.dmp
memory/3060-28-0x0000000000400000-0x0000000000D0F000-memory.dmp
C:\Users\Admin\AppData\Roaming\VC_redistx64.exe
| MD5 | e71fadab9273ec97c7dc2b5272f9f724 |
| SHA1 | f9e53d160b7dafc3173602899f3d54bc5a57b67f |
| SHA256 | b6d21693e278a3ac5bb18d4f9ffb9d4c7eea46f0b7673b7b67141df3fa6f0688 |
| SHA512 | d1fddca0754a0795b7e375a9e346ea1cd0508448d78e835db15ec38860f6aee28633553e9fc3847552abeea6fca9405c92a67be5ef57714e6234f2616b6065ad |
C:\Users\Admin\AppData\Roaming\r6_script.exe
| MD5 | d1002a1fed106b1790dca65318074837 |
| SHA1 | d95c41f0b7b907eec10c0c406e5047bc1b1725c1 |
| SHA256 | aa069767f5a303d0878693dcef7c9bf5bfc5f6dc6bd703915a750b33dd73e173 |
| SHA512 | 06200919f2d31efe72c075b86de8783d9c400d13a8301475bfe031bad96aec4902298fcd4c2d43f3b0bdefaad33bc04e7c63a6dc8d44efafca566c1ccc031464 |
C:\Users\Admin\Desktop\r6_script\values.txt
| MD5 | b61d6d7697c794f89e28838d8ec90178 |
| SHA1 | 358d0b6a8ae86c0e01e30b991d545edd24bf1237 |
| SHA256 | 77c10c19c7158580214e1eadb4d88f133e9587062e985928969d0ddfb3797aa4 |
| SHA512 | a390b2efa06f8b2bbb7a028a3a3fb27d3977e668843e1450d6b806fea0471f112d0b3cf6f8f3ff06309e5e9f6605a6417d65756445215ece22bd5fda332a9f98 |
memory/872-59-0x0000000074FB0000-0x0000000075761000-memory.dmp
C:\Users\Admin\Desktop\r6_script\config.txt
| MD5 | a4bab226b2b2c0b955a866b21ff72bbe |
| SHA1 | dc1397ea9aadd94087a48cd6b8871c5df59a63cb |
| SHA256 | 9fa9043aed7456493a1c58e3e804c20e6b96c5ce8d2681d7f71b3c31b0206755 |
| SHA512 | aa0f4accec9c7ea31a739993944730dcc613796e9721187d982b11b877188d38ebc8925104e98754d88a82da7067c9001827f43cc218d105f7462f6c518a7e55 |
memory/2152-62-0x00007FF940E70000-0x00007FF940E72000-memory.dmp
memory/2152-63-0x00007FF775070000-0x00007FF7764E2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 4a6204df8ba7d36fa99536ac4234a3d5 |
| SHA1 | a29802b02c44fcf98877b153e1f33d99747ef227 |
| SHA256 | bae3afb2f6e636519c790dd1e783370a6f18c5356607d744b8de91140a78a49a |
| SHA512 | 7429fd9148a30ed56e7ccaea219cfe805df7fc36469a209ee3d4301c6c30515a7b2dc184f81690439728da046cca3d4e8ed27013f9d79b53a5121c5e3b0bb21e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 0c5fba0d83f6c9fe3be0c88be1c90520 |
| SHA1 | ecfd5ea014c150209ab597119ae65aacdabb8177 |
| SHA256 | ce380f7776b242f23e0e3b99f50e5f2ab64e2588ea56a8203e701e1bec79695c |
| SHA512 | de8fd74b05d36e003eed0e082fe057ca0c31094112c7877fff0a548db0d4ca1966c9312f1bd80cf9f184a5cb368413484ba45a67805248080f451e5555a3f881 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | de40914adc9d348cf6deaf263384f13c |
| SHA1 | b1515b4548a264f84a141fee95e5eb25d581106a |
| SHA256 | 8f38b0dced1fec07b9e7d6ba21b976a2ee2aaf0234316c601f5cce7edd04b880 |
| SHA512 | 4be0ccdd37f0c21319db36419f6615457f8ec834d7bc1d5cb2c91d13e4f578687e9bd90a02591cc6de050933ebcc5278bd507167c5152e0fcbd135251bc37fce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 5dfe75a625ea1aec970a2f577515f558 |
| SHA1 | 793fffcfe12ffc631307d9dc699c44d1e44743f5 |
| SHA256 | 35c378b345be786a52171cfeb054bf953a2ff55e35e787248164a096f2ad915b |
| SHA512 | e9f7b2e3861addf4ddf690080a155fedfd8dd4b24ad933e2a1c76245810be807f3d8c1cb2209c8814d528aeeb068ea7c157fdaf000b6e919b08cf60959f1fd66 |
memory/3060-73-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3060-155-0x0000000000400000-0x0000000000D0F000-memory.dmp
memory/3060-154-0x0000000000400000-0x0000000000D0F000-memory.dmp
C:\ProgramData\README.txt
| MD5 | 18827f3a2f1dc1802f96ef0ada007f20 |
| SHA1 | 320c132f1cd8e7350ebde53cd11179839146c14c |
| SHA256 | ce3a63acd88f700cc86f1ee510af6eb4413b24aa6c515dfda56e4ca70927ae74 |
| SHA512 | 0f9cde86b723a36534214f8dc3a98aa9788714ad2001f50fec149ce0f0d190cc4d5e6538977675fb7cd9537ae2883f66cd48846bb5f8b2b8fa03234db4eced28 |
memory/2152-177-0x00007FF775070000-0x00007FF7764E2000-memory.dmp
memory/3060-196-0x0000000000400000-0x0000000000D0F000-memory.dmp