General

  • Target

    r6 External Aimbot + ESP.rar

  • Size

    3.4MB

  • Sample

    241104-djccsasejl

  • MD5

    94519843b9b8eee0f68c9eff7aa78a69

  • SHA1

    2d682df3dc77039e85b2331c7bbcf1967bba17e6

  • SHA256

    bd8c47ee070482e8ebb374c7eca83b3963764bb1cb8af2ac6c072d2463a37adb

  • SHA512

    355d54121c553812511eb3406679e6ab2378677e988745b8c173899a3ca077e77baf4f149ae62a9059a3dcdfe45b4c773ee51f34d473a4e7696825f47fe2c422

  • SSDEEP

    98304:kY5xjZTIHOK2Q/bKp9SpbsHPhyiJd9wNi6LjfSkZ6YX:kw3IHOKnMQi7ONi6LDSkZpX

Malware Config

Extracted

Family

stealc

Botnet

game

C2

http://193.233.112.44

Attributes
  • url_path

    /383ccd496f3c5eee.php

Targets

    • Target

      r6_external.exe

    • Size

      3.7MB

    • MD5

      6b81f9f9d69045ba2ebb229dfcd42554

    • SHA1

      d3ec868616014de922e1e8fa77f0fd9e19e72f3c

    • SHA256

      7261d4b797dbbf5cb8c015beb343ef7f95f1183553d34d11b5a620ee34c80ddc

    • SHA512

      c618541f8534d60522c1ead509e2682d511bf749a4221db4b4383da294d8fa807f334c30f4a8b66171a2345381067e5cdb3b79eb72823bb78842b611aa96cc63

    • SSDEEP

      98304:TXJFZkiG8LhDN7S8bPDUUNiAcN+KK09tpC/Ms:TZFSEB7S8bbUUEK0k/

    • Stealc

      Stealc is an infostealer written in C++.

    • Stealc family

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks