General
-
Target
Scarlet - Leaked.zip
-
Size
870.2MB
-
Sample
241204-x9xaesxmgv
-
MD5
a3b5feef02115678f978db7554c7f31d
-
SHA1
ff33112cea6b9b07978ff6cc0110bcabf87a119a
-
SHA256
4e01f67d085ba2a7adf841ddd17abd8a315589084b08f57aa38f2d94fad2f096
-
SHA512
2f542536c63d39aa91fcd9a3551c8c35fa353527c3b2b92bbe03f317cc4cd59468f3dab08d07b3accf3d462113ff6978cc2c20a47d921cc131a280ba60b0d9ef
-
SSDEEP
25165824:sjgRGxSjypuk9ED+LeElqRwAbtbwxW6pbG:sjmGxE2h9i+BlquA5eWH
Behavioral task
behavioral1
Sample
Scarlet - Leaked.zip
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Scarlet - Leaked/1 (3).exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Scarlet - Leaked/Leaked by Bm666 (7.5).exe
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Scarlet - Leaked/Leaked by Bm666 .exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Scarlet - Leaked/Videos (4)/InShot_10190927_154545638.exe
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Scarlet - Leaked/Videos (4)/Part 3.exe
Resource
win11-20241007-en
Malware Config
Extracted
skuld
https://discord.com/api/webhooks/1239728722446127235/CpLJBY80lsrvoWdpGjb7u3dhcW1liVDmy8--92GwopK7rc1uao8ShPq737KOZB0mDKuj
https://discord.com/api/webhooks/1239446722099286036/03iTGgnO1RXQSJpzERDxtEJ1DFuminwxIxeZh8ICScbvQq6rVvo6IKfigRDYRYMvbGSj
Targets
-
-
Target
Scarlet - Leaked.zip
-
Size
870.2MB
-
MD5
a3b5feef02115678f978db7554c7f31d
-
SHA1
ff33112cea6b9b07978ff6cc0110bcabf87a119a
-
SHA256
4e01f67d085ba2a7adf841ddd17abd8a315589084b08f57aa38f2d94fad2f096
-
SHA512
2f542536c63d39aa91fcd9a3551c8c35fa353527c3b2b92bbe03f317cc4cd59468f3dab08d07b3accf3d462113ff6978cc2c20a47d921cc131a280ba60b0d9ef
-
SSDEEP
25165824:sjgRGxSjypuk9ED+LeElqRwAbtbwxW6pbG:sjmGxE2h9i+BlquA5eWH
Score1/10 -
-
-
Target
Scarlet - Leaked/1 (3).exe
-
Size
9.5MB
-
MD5
4b4fd9e69f42cb13de665dc393ca174d
-
SHA1
6dccc955f9e3ceb435790a93ecd37e9584d07526
-
SHA256
09d72f61453036336d192add55ec5b538b0d10a8d0901c84a039e2ab18c8bc46
-
SHA512
7d7c6f2e2f35b35c997a61922b9a4e8d054f79c4a5163f45c07d53ebfc04ad7ebeeb7fa769bdf3712c84654a6994621d2134b890b6b2ec08265802a93e3edb79
-
SSDEEP
98304:8vksIj0SI3ZpInyzr70vjDy3yMJEEYXOSF8Me53H:8Ls0SI3cckvjDyCMKEYX7e53H
-
Skuld family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
-
-
Target
Scarlet - Leaked/Leaked by Bm666 (7.5).exe
-
Size
9.5MB
-
MD5
24b21ce0ed7f316e6c01fd3d0ee6b5ce
-
SHA1
d79b1cb928fb1474b17bb0c47f86984bbffcc48e
-
SHA256
4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f
-
SHA512
4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c
-
SSDEEP
98304:ZYV6CCYzwyyJOmzPx0NEzB5IEPqSF8u83e:k5CYzcgUx0NEV5hPR83e
-
Skuld family
-
Drops file in Drivers directory
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
-
-
Target
Scarlet - Leaked/Leaked by Bm666 .exe
-
Size
9.5MB
-
MD5
24b21ce0ed7f316e6c01fd3d0ee6b5ce
-
SHA1
d79b1cb928fb1474b17bb0c47f86984bbffcc48e
-
SHA256
4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f
-
SHA512
4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c
-
SSDEEP
98304:ZYV6CCYzwyyJOmzPx0NEzB5IEPqSF8u83e:k5CYzcgUx0NEV5hPR83e
-
Skuld family
-
Drops file in Drivers directory
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
-
-
Target
Scarlet - Leaked/Videos (4)/InShot_10190927_154545638.exe
-
Size
9.5MB
-
MD5
4b4fd9e69f42cb13de665dc393ca174d
-
SHA1
6dccc955f9e3ceb435790a93ecd37e9584d07526
-
SHA256
09d72f61453036336d192add55ec5b538b0d10a8d0901c84a039e2ab18c8bc46
-
SHA512
7d7c6f2e2f35b35c997a61922b9a4e8d054f79c4a5163f45c07d53ebfc04ad7ebeeb7fa769bdf3712c84654a6994621d2134b890b6b2ec08265802a93e3edb79
-
SSDEEP
98304:8vksIj0SI3ZpInyzr70vjDy3yMJEEYXOSF8Me53H:8Ls0SI3cckvjDyCMKEYX7e53H
-
Skuld family
-
Drops file in Drivers directory
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
-
-
Target
Scarlet - Leaked/Videos (4)/Part 3.exe
-
Size
9.5MB
-
MD5
24b21ce0ed7f316e6c01fd3d0ee6b5ce
-
SHA1
d79b1cb928fb1474b17bb0c47f86984bbffcc48e
-
SHA256
4a755f2a58e81e25763f504e5bea95a94ee6205aa79798aff61ccf60aa98382f
-
SHA512
4612c3cfe97457104f8e88502ebc1c3b4874a4c8569d52993748da4f9f48e8a07ca11dcc2921992d7e7ba09147255f6981ed4ff7dbf9aee6eb5e58ba81547b8c
-
SSDEEP
98304:ZYV6CCYzwyyJOmzPx0NEzB5IEPqSF8u83e:k5CYzcgUx0NEV5hPR83e
-
Skuld family
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4