General
-
Target
Neverlose Crack by [Alien09] (NL404).7z
-
Size
15.4MB
-
Sample
250106-h9azvszngs
-
MD5
cb5327c0c7cef6f173d3c1533892ef8a
-
SHA1
49ced11fe3444b895d4a76bf14c7a698e067ab4a
-
SHA256
2c070d3d9ae8fb17eedb7d75815f4fe58ea6533d6f694d7a3fc0ec98a368e1c7
-
SHA512
5cf842c516d29188fe0459ebe7fe150f6aa558283645b5d390c374a78cd7ae53d4abf1f7bffd2a3523abad5dd0e7a88616e4cd584554ab0c95dbbe993e492212
-
SSDEEP
393216:elyw7AVkDaZvLK/31wgs4w8CrcB0itrZ+IfT29SP:elXAVoaZvONwj4wdq0Sp7wSP
Malware Config
Targets
-
-
Target
Neverlose Crack by [Alien09].exe
-
Size
16.4MB
-
MD5
80b90a94fa35250bac42bf10fe07b553
-
SHA1
dfafa1db45eb5f507ffbdafcf19c315d2ed7805d
-
SHA256
c43aaa5c884b7b604a8890d80cbac6a366aa0bdbdd9744d05485d07358b6f548
-
SHA512
a054ea4c3feff28f63e69dcfcbbcd072b5ba412f3f6d11a67610f3d35827b7a6c34ff986e4d9f21f8112f8756f1fa6dec0ce5be324214b63b090554ded97995e
-
SSDEEP
393216:5tskWIeq1BziHR3c357KhL+PKcA6E75kuSkl5:5tlNenJ+eOKcnc
Score10/10-
Panda Stealer payload
-
PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
-
Pandastealer family
-
Xmrig family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Defense Evasion
Impair Defenses
1Indicator Removal
1File Deletion
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
3System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1