blankgrabber | 4558e5347818874f767466464daa78d5fcbf4180e2e4214e8bcd241cf8cf4288

Sharing

General

Target

FurkUltraExecutor.zip
Size

32.3MB
Sample

241105-fd79daxmbl
MD5

998b9a7b04bedb14456b5d56a761fd28
SHA1

76e2a9dcf2fac8f222ab2dff87dd4be8d174a312
SHA256

4558e5347818874f767466464daa78d5fcbf4180e2e4214e8bcd241cf8cf4288
SHA512

f3251d4deb079412f78bc5f30d20a38630830295870c0e33741cd6f56d7b4c2d4a945c7034b0e82c0ade9fc285b80b26864f68fbbfc7dee228e6019413689643
SSDEEP

786432:fa4kjUaA57jjYiVhFJBSV3EkG7l1KbDf3ezicMn:fa4kjA7QMhFjSdEkG7l1KbDf3ezZMn

Score

10^/10

Malware Config

Targets

- Target
  
  Furk-Ultra-main/Bypass.bat
- Size
  
  61B
- MD5
  
  ed9b8d9a7a6855bd7542906c89df7d59
- SHA1
  
  2fb50de53bb455b43cfe3f52032b245c2c50a3fc
- SHA256
  
  c29fe90eeae955d900405ff44043bdba6d2b76504a1f606dd87f97bcfd61ffa6
- SHA512
  
  bf2f3138353973f64ac93971fbf50e8ed8f6fb21d38f4c5a7940fb7077323df424da54c9ddcf172280dee97b0caa052eda09466dfc3e3bcc318235d97ff15219
Score

8^/10

discovery upx collection credential_access defense_evasion execution persistence privilege_escalation spyware stealer
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  Furk-Ultra-main/FurkUltra.exe
- Size
  
  939KB
- MD5
  
  ae40aa4a810011454626af870b5af1a6
- SHA1
  
  36d59c0bbd384b649d0ca54868be5199729aa78a
- SHA256
  
  1f79fa84d8edcf581380c9129f5e392d778d48c8f815f331871d74a95a16d397
- SHA512
  
  a60063b50fbeab343667f463715a9db0194194314ee538383dc11a7693c21aee30345aeb0dc39d0ad494b7d841a87475d16e6b2ec0d78c40eb78fa09220a4a5c
- SSDEEP
  
  12288:+jabtvyU7RBv4XpnMQ9Nx3Ug+YL4UIHDPJKDbn2mFX1WpZOVXfTpU4n81yyU9:vUUbG9zE5YLv29K+mFX1WLkbpUPyV
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4
- Target
  
  Furk-Ultra-main/ICSharpCode.AvalonEdit.dll
- Size
  
  605KB
- MD5
  
  d8f0e3940b5bbe9599ee0a84b541d50f
- SHA1
  
  850d54860f97c431759933fceb92501df03a9e73
- SHA256
  
  202a4719e4b879da67445ab50901d80a259f8680b5d16bc0f929e0a6f6fad199
- SHA512
  
  1af4b712a6716abaef56f754cc2e63d27b15f9d2d23285e2491b45e714f34acb3d7b026a2f7b316043253f4b7b9c98dc390ad0a53f2016c486bb695499cdca2a
- SSDEEP
  
  6144:wxYTpmHJ01ImQ4JeqcP3Y5hdjxRDSipwypt+9mz+OB4JFDu8n+kUXjWyUO8tKtTD:wKTpmH29/xRxSmzmDuNxHR
Score

1^/10
behavioral5 behavioral6
- Target
  
  Furk-Ultra-main/Newtonsoft.Json.dll
- Size
  
  683KB
- MD5
  
  6815034209687816d8cf401877ec8133
- SHA1
  
  1248142eb45eed3beb0d9a2d3b8bed5fe2569b10
- SHA256
  
  7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814
- SHA512
  
  3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721
- SSDEEP
  
  12288:Lf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH:7XNL2PVh6B+Bzjmc
Score

1^/10
behavioral7 behavioral8
- Target
  
  Furk-Ultra-main/Scripts/Dex Explorer V2.txt
- Size
  
  636KB
- MD5
  
  5c3866fd535e0d8753999abad37cc58a
- SHA1
  
  54b2304611d655ca2a5bb059acb7fd47d59cfc01
- SHA256
  
  9cf75612842a8527d3e7c112690b5a0758fb996d536e0d2218cb6c63846a1fc0
- SHA512
  
  1107c62655ef7594cdb6da0f92da96df2b5beaed306fe0d5a8aa70a560c3c5ad5b8a179897d72f53ac87dc59be3eb30aa2be2ef9d600f2149b0d46bbddcf6b00
- SSDEEP
  
  6144:uJCMsX/4Mu4JKM2nw1u/oBSz/+JWoaxqX29kRCmAEkdR8hsE2CDA6q8YnegCi8MY:2w1u/oBSz/+JYTiui
Score

3^/10

execution
behavioral10 behavioral9
- Target
  
  Furk-Ultra-main/Scripts/FPS Aimlock.lua
- Size
  
  10KB
- MD5
  
  4bbe9d46f882a1f0f04fe3cde85bad84
- SHA1
  
  80d1ee35e7e471f8fe9e5f68cebbd834dae4092f
- SHA256
  
  8b7f73229d13d062fef9c4f06610c382838244495cfac2c8db37f927a87b0121
- SHA512
  
  bc197145316a391ad7126fb24736ad11b90b56e1ee60c29cfb65f5d59673fd1d20cc723546c7b50f4e2cb5faee81d10095d4823d5c25528b811b3760ce664225
- SSDEEP
  
  192:+P+bRz3yGXGkGJGSG7X49o178A3RDeOKxNqDbbrTJ/1ObrTJ/yS6WFMxFMoSfqGy:+P+bRDyUT+bXg84RyDqDbPN1OPNwzeq/
Score

3^/10

execution
behavioral11 behavioral12
- Target
  
  Furk-Ultra-main/Scripts/Hitbox Extender.txt
- Size
  
  70KB
- MD5
  
  cfef731e7d6bd00bce9c97ae92af4113
- SHA1
  
  5f15389bee2a005bd80d32a966b22598b616687d
- SHA256
  
  623481eac0575ca1e7decf41b5040142fa4693259c69662a5e6cada2b4b71001
- SHA512
  
  487a478497af1d4b1f3358e25e5381d6a5f023aa3e345f1d3fae78222fa153f00b0d34c2cdb4dd07b1942d7d59844809c755433b392a22721795067a52d21bb4
- SSDEEP
  
  768:unLcrQJSDv2ptuzvJwucDyxPRe78tTJVmhFLCuMMgNAyBg7LI5:uvJSDvauzvGucDsXMhFLC9MgeyBx
Score

3^/10

execution
behavioral13 behavioral14
- Target
  
  Furk-Ultra-main/Scripts/Kick Off Script.txt
- Size
  
  194KB
- MD5
  
  4f68808d6169616eae6473b0c271c74a
- SHA1
  
  10839f8a9d6f83f65c4cdcd53bf231611831d9f4
- SHA256
  
  54833d16d772645254528c77fadd37d1367d6d53df7a59115aa932bebc140c22
- SHA512
  
  bdd2476c68b4f85b0d7c18ffc2aaa3f62c2940939f9e5427ba86d7cd2c04434b6bbd9beb3ec042db616375dadcb29aca805406329415619f9c53fa0624b2a6fb
- SSDEEP
  
  1536:6GMPEjQmSQLkObS90BWYsluc2axim4/VwT/oDOEXwwWVPmkLJZ:aEjWvJ2aTKOEXwwWVuu
Score

3^/10

execution
behavioral15 behavioral16
- Target
  
  Furk-Ultra-main/Scripts/Old DEX Explorer.txt
- Size
  
  623KB
- MD5
  
  59bb3358c0ca9b0ea91a7b0ccb555fea
- SHA1
  
  431ec6ca815c82115076e44955cca92111306e0c
- SHA256
  
  dbb57ae0bb3c180501cf4a2c347686b8d5fb611c5aa02c52d07b72487c0e8a63
- SHA512
  
  8aaaa1e1d3fcc0838e5db10356af2dbf9577146d2d68663bdbf670c9f4721ebbfada5d74cb3c04506715876507e787364ba0736f6e9dcbec63deb97695fd681a
- SSDEEP
  
  12288:kv8/0gQjYXlA1iLG3sZa8rGZ4ni1YrfqNOJkJAFwOJqbzlONWjDurUf+tYD4uPIX:kv8/0gQjYXlA1iLG3sZa8rGZ4ni1Yrf9
Score

3^/10

execution
behavioral17 behavioral18
- Target
  
  Furk-Ultra-main/Scripts/TopKek ScriptHub.txt
- Size
  
  81KB
- MD5
  
  da6db26c9c3bbee0f1ac82e2cb80ee0b
- SHA1
  
  39ba261fd5d36a6234370f3ae9ad680e0e8113c4
- SHA256
  
  5364ad42dbce5beb80583fc5f318d578f0767360ddda3900eb6c10fe0e7bca09
- SHA512
  
  4a8bda111e7d4c9228625a81cac81032b6a7675800d0ce58dd0042f3586454e4c5a2208673a0801ae145d5a629303914deae0b503cc0ff240760f6267aa4a46a
- SSDEEP
  
  768:UxpiOrCmOj3qB4EpuNpEUi2rEnr2zkYtXQyphJ63rrrE7NQUWSfYQJB6r/CM7/f/:CrQsjfSnT4mqDO1/kmyFQ9liqN78cmL
Score

3^/10

execution
behavioral19 behavioral20
- Target
  
  Furk-Ultra-main/Scripts/[FE] Chat Bypass.txt
- Size
  
  875B
- MD5
  
  a48c6c1f7a4ec0d4fbfb1e8ab47148b4
- SHA1
  
  698cbc610bc9fde33bccdad88b1e7153800d135a
- SHA256
  
  fbca5616f06db07f96378da5c5c2a2e01628851621d263f219815010350d7ecf
- SHA512
  
  f3514e21d3b4d877ba5e4737024fe5479f38110f5df2f093e576ae19a65a16e73618fb8a9b10e9ae88fa762a54baa3b7122d86bc4ea5a6b5f505f06665f4bbba
Score

3^/10

execution
behavioral21 behavioral22
- Target
  
  Furk-Ultra-main/Scripts/[FE] God Mode.txt
- Size
  
  182KB
- MD5
  
  e4b18f3e252a03ff12e2f5ca0435a9cb
- SHA1
  
  892ca4bfae09248be3e23ecf0e4fb9552d2a68fa
- SHA256
  
  9e3c7448087ab8eb788c9ae51cb6f0811f3f62f4bc5875c51878d3e73bcc31ab
- SHA512
  
  e80268a8dbe6ed0c39a38946380f82abf14ed790cee806f62260de45e8ecda6c8ec4e878692c86442dbc9ed308825eb31dc68df7b7f109fa50c3975e1dfe8c8e
- SSDEEP
  
  3072:oRmZ+7RIYrglkoKxRvJPIsx3LTFS4smsQcePqrnIo44ry9qM3MUq:oRmA7RIYrglkoKxRvJPIsxgVmsQc6qrz
Score

3^/10

execution
behavioral23 behavioral24
- Target
  
  Furk-Ultra-main/System.Diagnostics.DiagnosticSource.dll
- Size
  
  34KB
- MD5
  
  8d9df432109f1cfdd86723b5f171e3d7
- SHA1
  
  85dc92edd4b0049ed9049e075c4def8a3d64e43b
- SHA256
  
  d22133818a30313e0becf010d78a556a56b34ea361dbd33588c9817631fed540
- SHA512
  
  5c83303934eecfa61c43a071d29c98e5804d37a5dc7f7b035772d6a168b0c5e65dfabef20b46214e65493c4bda44831cafee83615498fbe9e718c884f4650edf
- SSDEEP
  
  384:iQobG82oiaPaf/gn5LQ0+0zdQUv2CtyW8fiFISWbW9pWJbWivT1Nq0GftpBjAvnC:nA299fI5dxzL2CC11vimvnEBBNFT
Score

1^/10
behavioral25 behavioral26
- Target
  
  Furk-Ultra-main/bin/Bypass.exe
- Size
  
  7.3MB
- MD5
  
  b6fc4bbdbae0300b3c1fd00dccbcfe78
- SHA1
  
  2e14e298c29b2c79cf78a575a79f4488e85a0dd8
- SHA256
  
  99935b77b6c7387bb1d572704dd96e804d0a7655e2197afeab8baacc1ad9d067
- SHA512
  
  02bbacd3cd3d23f7eab4a33901eabeac6f706140e98835e916c97fb995cd747ac7c09494fcf9a90d0e92c5bc6a43123bfc32dcf88b7e1b5c713cfc7ff3ec9c15
- SSDEEP
  
  196608:VuhYS6qOshoKMuIkhVastRL5Di3uq1D7mo:QYSjOshouIkPftRL54DRN
Score

8^/10

upx collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral27 behavioral28
- Target
  
  Furk-Ultra-main/bin/Bypass1.exe
- Size
  
  17.6MB
- MD5
  
  2c0c9a7eee5098b51a24a00fa4882c30
- SHA1
  
  c853410921600843726571c4b2250e3c0f0470d7
- SHA256
  
  9eb4f0e1d1e1a195692d317a04f9cfaf528fa6aba186a05ad23eff3ec30fbb6f
- SHA512
  
  9532d83bb11b7e614881972c33d0b76e388aaa8db5041a537e8294043c950c7578e80642fed49e78039266197855d049de9e901624bf943574998aca72ca9831
- SSDEEP
  
  393216:tqPnLFXlrgUgQpDOETgsvfGAwgTwPvEeLg4MLA:0PLFXNgtQoEQMwUFH
Score

7^/10

upx discovery persistence privilege_escalation spyware stealer
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral29 behavioral30
- Target
  
  Furk-Ultra-main/bin/Helper.dll
- Size
  
  6.2MB
- MD5
  
  cdf73079a63074805810016f13fbbfce
- SHA1
  
  f7ecbbd392820ea6fb8cbc72911325c440c0c271
- SHA256
  
  c1eb4052b0a9d672595be10d21ff60a79039c5842d8c98e837251a721549c60b
- SHA512
  
  2eb5a41dfe01d6b58aba5d27a4b359f8b6ea2b913e465ca839f09b3c334aabe550d4925a6e786540a5c28c9086ed97b2187722f3bf62c54ae92922550f5e36e9
- SSDEEP
  
  98304:ff0ldnefVuuvtLonWJ7gatg6QrkP6G9qvPpZDI0evx+AquS/gdV7Wme+OEDl:kH6tvP613pZkvquddNLhOW
Score

3^/10

discovery
behavioral31 behavioral32