Overview

overview

10

Static

static

10

Build/Arca...er.exe

windows7-x64

7

Build/Arca...er.exe

windows10-2004-x64

8

Build/Arca...le.dll

windows7-x64

8

Build/Arca...le.dll

windows10-2004-x64

6

Build/ArcadiaUI.exe

windows7-x64

7

Build/ArcadiaUI.exe

windows10-2004-x64

8

Build/Fast...ox.dll

windows7-x64

1

Build/Fast...ox.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Build.zip

  • Size

    20.9MB

  • Sample

    250106-s7yy1szqg1

  • MD5

    202c2cc945735ac0d31abe80e837f7fd

  • SHA1

    08a29149a1048a74af1752190593e5096facf595

  • SHA256

    490063206c1049e12cd3e29e7ae9a166950b48c074706aa4e45b467cc1738314

  • SHA512

    886708183358a23dfa84769bab0a7ca5a7aab2e3928fa84d88893b46fa59636391266000be96aed1e4c8edac59e76e923d194cecb0ac0ee5ce95ad9cec4fc8fe

  • SSDEEP

    393216:SuOdVhb6boN5DiEYKNvOwOGWkUURE0hZXR/uOdVhb6boN5DiEYKNvOwOGWkUUl:sLksNwjKNv2qFSEX7LksNwjKNv2qFl

Score
10/10
blankgrabbercollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Targets

    • Target

      Build/ArcadiaLauncher.exe

    • Size

      9.6MB

    • MD5

      935811dc5d515b089afe293d4471d215

    • SHA1

      9e7d4ec78767b94752ec657fdd7dc5a83e6d1cd8

    • SHA256

      d5be09b425b16925940fa291de9f802051e7cd366dbd6dba66742e334ef8dd90

    • SHA512

      1aa7704c31971cd84dcffc31bedeff99b97fb589a2499a0a633d3dc6f80024d9fa19c347fa12530d92c597b1ab4eb2f89b98a5a127ace1af2b49edec9d7b6647

    • SSDEEP

      196608:nd1dXlQZ5tLBxApPwfI9jUCnORird1KfbLOYgN2oc+nBIdAx3:dbiZ5tMpEIHOQ76bynnBIK

    Score
    8/10
    upxcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      Build/ArcadiaModule.dll

    • Size

      3.7MB

    • MD5

      963dd477745b743e2b9eb68f74d041e3

    • SHA1

      db6e33d894cc30bae3ddb15707d4548acf4d5211

    • SHA256

      53d26b675a6647691cbcde73635ccaf30771bdbe3ce626597573509a10989812

    • SHA512

      bb18b75a6c399bde20828740090732cb923c03ff0b265487bd1607fea0935ade40ae5390b74d9be0e114a081c6d522f7bbd31584b9970e36aacfac2505b08ac8

    • SSDEEP

      49152:JmL50v1uE4GyK66rxhKR6QA39miwsXw4uDkl6mUDu/eG0vHnIqAEr3:umdf1KrAIiwsXw4uDkl7au/2H

    Score
    8/10

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

    • Target

      Build/ArcadiaUI.exe

    • Size

      9.6MB

    • MD5

      935811dc5d515b089afe293d4471d215

    • SHA1

      9e7d4ec78767b94752ec657fdd7dc5a83e6d1cd8

    • SHA256

      d5be09b425b16925940fa291de9f802051e7cd366dbd6dba66742e334ef8dd90

    • SHA512

      1aa7704c31971cd84dcffc31bedeff99b97fb589a2499a0a633d3dc6f80024d9fa19c347fa12530d92c597b1ab4eb2f89b98a5a127ace1af2b49edec9d7b6647

    • SSDEEP

      196608:nd1dXlQZ5tLBxApPwfI9jUCnORird1KfbLOYgN2oc+nBIdAx3:dbiZ5tMpEIHOQ76bynnBIK

    Score
    8/10
    upxcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      Build/FastColoredTextBox.dll

    • Size

      323KB

    • MD5

      71963eb6707ef2de595d336d5810082b

    • SHA1

      aefa3ec8411e2ad2a7f0a496be0c7f52cb908bd5

    • SHA256

      f67f8caf9216123c0f669ae7a0e9a086a28ad9fee7e4756c224a7706ceaab1cd

    • SHA512

      a2410423d7d9c730e3d7d48a03a01342149778539bc2bb32fa404d1722296eb1f0ebfc2f8224665b6e84b6e17a16cc3392334ad7958662fe9d65c6bada6a471b

    • SSDEEP

      6144:JR0J4lxA/7BA4xvNIwcKAZ+IBJhaeFMdFDCBdxBsqmLDi5eN5DDl1SqPF:JR0J4ElAovNIwxAZdBOeFMuzheN5

    Score
    1/10
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks