Malware Analysis Report

2025-03-15 04:35

Sample ID 241027-1x98astdjg
Target R6 Script.rar
SHA256 9996b7ab1211684a1d7e32ba542db3332a8fdcef65d2c3e2cc03ff05062cfdd4
Tags
stealc game credential_access discovery evasion persistence spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9996b7ab1211684a1d7e32ba542db3332a8fdcef65d2c3e2cc03ff05062cfdd4

Threat Level: Known bad

The file R6 Script.rar was found to be: Known bad.

Malicious Activity Summary

stealc game credential_access discovery evasion persistence spyware stealer themida trojan

Stealc

Stealc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Themida packer

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:02

Reported

2024-10-27 22:05

Platform

win11-20241007-en

Max time kernel

124s

Max time network

98s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\R6 Script.rar"

Signatures

Stealc

stealer stealc

Stealc family

stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\My Program = "C:\\Users\\Admin\\AppData\\Roaming\\MyHiddenFolder\\VC_redistx64.exe" C:\Users\Admin\AppData\Roaming\VC_redistx64.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\r6_script\R6_Script.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\r6_script.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\gWsmPty.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\r6_script.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\r6_script\R6_Script.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\r6_script.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\r6_script.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\R6 Script.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\r6_script\R6_Script.exe

"C:\Users\Admin\Desktop\r6_script\R6_Script.exe"

C:\Users\Admin\AppData\Roaming\gWsmPty.exe

"C:\Users\Admin\AppData\Roaming\gWsmPty.exe"

C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

"C:\Users\Admin\AppData\Roaming\VC_redistx64.exe"

C:\Users\Admin\AppData\Roaming\r6_script.exe

"C:\Users\Admin\AppData\Roaming\r6_script.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 downloadsparrow.com udp
US 104.21.17.117:443 downloadsparrow.com tcp
US 8.8.8.8:53 117.17.21.104.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
US 154.216.18.128:80 154.216.18.128 tcp
NL 149.154.167.220:443 api.telegram.org tcp

Files

C:\Users\Admin\Desktop\r6_script\R6_Script.exe

MD5 74bed11a4506bff5dd718fb7be1ff8c7
SHA1 3802ace51db410caaf742213853ccff4d849502f
SHA256 fb51e94bd096d3dfe3465db05acde944934c0af1b289a7397d18b3fbc3989d97
SHA512 9d700ebcc3e2593324d5257dea0be2bd81fed447cf00acda27cf293136534aec36de5a766909c995ecca612ed38a70d2ab8f3c4075608f0dcb8cc2090be5e010

memory/872-12-0x0000000074FBE000-0x0000000074FBF000-memory.dmp

memory/872-13-0x00000000009E0000-0x0000000000A08000-memory.dmp

memory/872-14-0x00000000053A0000-0x00000000053A6000-memory.dmp

memory/872-15-0x0000000002DF0000-0x0000000002E0C000-memory.dmp

memory/872-16-0x0000000005500000-0x0000000005506000-memory.dmp

memory/872-17-0x0000000074FB0000-0x0000000075761000-memory.dmp

memory/872-18-0x00000000056F0000-0x00000000056FA000-memory.dmp

memory/872-19-0x0000000006720000-0x0000000006CC6000-memory.dmp

C:\Users\Admin\AppData\Roaming\gWsmPty.exe

MD5 436933e79a874b8e312f683b5558a773
SHA1 8d9fdee4b75e2698e5d811eeb4cda0cb6d5dea2c
SHA256 87b78091905e74ada42bc63e8beebc3259a52d92200d1e710d4459f165c24534
SHA512 a0271659f200de85fef4d9e299b800de4b20f7b9d207eb7e86aead5c40adc1c86556818031c37822ad4a4073659abb4bb4e9e40907ffc8bf99eb4fc4c0d80882

memory/3060-30-0x0000000000400000-0x0000000000D0F000-memory.dmp

memory/3060-29-0x0000000000400000-0x0000000000D0F000-memory.dmp

memory/3060-28-0x0000000000400000-0x0000000000D0F000-memory.dmp

C:\Users\Admin\AppData\Roaming\VC_redistx64.exe

MD5 e71fadab9273ec97c7dc2b5272f9f724
SHA1 f9e53d160b7dafc3173602899f3d54bc5a57b67f
SHA256 b6d21693e278a3ac5bb18d4f9ffb9d4c7eea46f0b7673b7b67141df3fa6f0688
SHA512 d1fddca0754a0795b7e375a9e346ea1cd0508448d78e835db15ec38860f6aee28633553e9fc3847552abeea6fca9405c92a67be5ef57714e6234f2616b6065ad

C:\Users\Admin\AppData\Roaming\r6_script.exe

MD5 d1002a1fed106b1790dca65318074837
SHA1 d95c41f0b7b907eec10c0c406e5047bc1b1725c1
SHA256 aa069767f5a303d0878693dcef7c9bf5bfc5f6dc6bd703915a750b33dd73e173
SHA512 06200919f2d31efe72c075b86de8783d9c400d13a8301475bfe031bad96aec4902298fcd4c2d43f3b0bdefaad33bc04e7c63a6dc8d44efafca566c1ccc031464

C:\Users\Admin\Desktop\r6_script\values.txt

MD5 b61d6d7697c794f89e28838d8ec90178
SHA1 358d0b6a8ae86c0e01e30b991d545edd24bf1237
SHA256 77c10c19c7158580214e1eadb4d88f133e9587062e985928969d0ddfb3797aa4
SHA512 a390b2efa06f8b2bbb7a028a3a3fb27d3977e668843e1450d6b806fea0471f112d0b3cf6f8f3ff06309e5e9f6605a6417d65756445215ece22bd5fda332a9f98

memory/872-59-0x0000000074FB0000-0x0000000075761000-memory.dmp

C:\Users\Admin\Desktop\r6_script\config.txt

MD5 a4bab226b2b2c0b955a866b21ff72bbe
SHA1 dc1397ea9aadd94087a48cd6b8871c5df59a63cb
SHA256 9fa9043aed7456493a1c58e3e804c20e6b96c5ce8d2681d7f71b3c31b0206755
SHA512 aa0f4accec9c7ea31a739993944730dcc613796e9721187d982b11b877188d38ebc8925104e98754d88a82da7067c9001827f43cc218d105f7462f6c518a7e55

memory/2152-62-0x00007FF940E70000-0x00007FF940E72000-memory.dmp

memory/2152-63-0x00007FF775070000-0x00007FF7764E2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 4a6204df8ba7d36fa99536ac4234a3d5
SHA1 a29802b02c44fcf98877b153e1f33d99747ef227
SHA256 bae3afb2f6e636519c790dd1e783370a6f18c5356607d744b8de91140a78a49a
SHA512 7429fd9148a30ed56e7ccaea219cfe805df7fc36469a209ee3d4301c6c30515a7b2dc184f81690439728da046cca3d4e8ed27013f9d79b53a5121c5e3b0bb21e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

MD5 0c5fba0d83f6c9fe3be0c88be1c90520
SHA1 ecfd5ea014c150209ab597119ae65aacdabb8177
SHA256 ce380f7776b242f23e0e3b99f50e5f2ab64e2588ea56a8203e701e1bec79695c
SHA512 de8fd74b05d36e003eed0e082fe057ca0c31094112c7877fff0a548db0d4ca1966c9312f1bd80cf9f184a5cb368413484ba45a67805248080f451e5555a3f881

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 de40914adc9d348cf6deaf263384f13c
SHA1 b1515b4548a264f84a141fee95e5eb25d581106a
SHA256 8f38b0dced1fec07b9e7d6ba21b976a2ee2aaf0234316c601f5cce7edd04b880
SHA512 4be0ccdd37f0c21319db36419f6615457f8ec834d7bc1d5cb2c91d13e4f578687e9bd90a02591cc6de050933ebcc5278bd507167c5152e0fcbd135251bc37fce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

MD5 5dfe75a625ea1aec970a2f577515f558
SHA1 793fffcfe12ffc631307d9dc699c44d1e44743f5
SHA256 35c378b345be786a52171cfeb054bf953a2ff55e35e787248164a096f2ad915b
SHA512 e9f7b2e3861addf4ddf690080a155fedfd8dd4b24ad933e2a1c76245810be807f3d8c1cb2209c8814d528aeeb068ea7c157fdaf000b6e919b08cf60959f1fd66

memory/3060-73-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3060-155-0x0000000000400000-0x0000000000D0F000-memory.dmp

memory/3060-154-0x0000000000400000-0x0000000000D0F000-memory.dmp

C:\ProgramData\README.txt

MD5 18827f3a2f1dc1802f96ef0ada007f20
SHA1 320c132f1cd8e7350ebde53cd11179839146c14c
SHA256 ce3a63acd88f700cc86f1ee510af6eb4413b24aa6c515dfda56e4ca70927ae74
SHA512 0f9cde86b723a36534214f8dc3a98aa9788714ad2001f50fec149ce0f0d190cc4d5e6538977675fb7cd9537ae2883f66cd48846bb5f8b2b8fa03234db4eced28

memory/2152-177-0x00007FF775070000-0x00007FF7764E2000-memory.dmp

memory/3060-196-0x0000000000400000-0x0000000000D0F000-memory.dmp