growtopia | cf0b47eafa7787a698bc8dbb62d18f1d16d0659ff7bd7e6312ccb50b08b754b6

Sharing

Copy URL

Twitter E-mail

General

Target

Astral-Stealer-v1.8.zip
Size

5.0MB
Sample

250113-v5cn4s1kft
MD5

99f1133043b27927628725cdedab82fc
SHA1

5c5eff02b8cd8468638712cef2f58df38b678c8a
SHA256

cf0b47eafa7787a698bc8dbb62d18f1d16d0659ff7bd7e6312ccb50b08b754b6
SHA512

62c751ef8d6f4977f8eaca662213532eacbcd14debdab16f85c4750e5385d78f55ed8f24a929aba82a719e4fda429be61e15a109bf26178f887636465b4b4497
SSDEEP

98304:VKq8KgB9itUfnBgeOCR3zyISfP/5Jyb6LswnFbkcoIyeU6t:VKq8KS9itUfnBgeOC1zan5J9LLoLIf

Score

10^/10

Malware Config

Targets

- Target
  
  net8.0-windows/Astral Stealer.dll
- Size
  
  2.1MB
- MD5
  
  aae3db3d79052fbdd65728644d0b778b
- SHA1
  
  f0dbb597f050d060e4dc6c7c44ed4edccccdae3f
- SHA256
  
  9e2e1e1392cbd5097033cfd40a1d496f9bb31003d7c80cba53eb8cdd100531f4
- SHA512
  
  c2fca2b32f1170df4d2aa348ec2276318edaf69d22d983fb7bab6fc0a19a80d29539c969e602c6c2ac318bfed0b15692acd5b31cac8018eb5ed43c0dce5fead2
- SSDEEP
  
  49152:DxsrbCb35u50T5u50T5u50T5u50T5u50T5u50Ls25u50S5u50:DCncpMyMyMyMyMyMTEMnM
Score

1^/10
behavioral1
- Target
  
  net8.0-windows/Astral Stealer.exe
- Size
  
  139KB
- MD5
  
  726c717d3e26f216b316f169ae4befd2
- SHA1
  
  673efa718917cfd5685a3fa91f8ca0607ee59bda
- SHA256
  
  1e7a930303762a3a1f8678da099225d9276d1a9fa16ced07a9fb4f14e0201bd9
- SHA512
  
  2438ec07d41d19f7c4aa1885408784f5d68bcf979b5481cf0de14bfdb5d91d9b96ef6d651291733e4141e4b8f23bbb139baa04ebb92033ca9c4b9797519adb52
- SSDEEP
  
  3072:PiS4omp03WQthI/9S3BZi08iRQ1G78IVn2sbS7cJp8lt2:PiS4ompB9S3BZi0a1G78IVAcLct
Score

8^/10

defense_evasion discovery persistence privilege_escalation
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Blocklisted process makes network request
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Probable phishing domain
behavioral2
- Target
  
  net8.0-windows/Astral_assets/Injection/discord-injection.js
- Size
  
  87KB
- MD5
  
  f09e312599375709a60d60e87d4317ee
- SHA1
  
  55dab351087947ecbf2a745a47476c2dbcfe907e
- SHA256
  
  1df7b0b11b9eca886e8ad118efe0196ca3202f08a2f803c9ed62c99b14d7b386
- SHA512
  
  87d78a313eb2515b65d4b33b1ff787d17ad48180b17b03c30cd342a9ece0049e40e411ac91f950b3fece43658624cffb9808da3fbdf1f30e9ff0be3c1e54be76
- SSDEEP
  
  1536:tK4SxabNH1fyDsH4ntTVPV3yTMHQHiM+ta0QUta+Yx4Y7tn1/yDsHYXicLjFfVnM:jb11fyDsH4ntT1V3yTMHQHiMMYx4Y71n
Score

3^/10

execution
behavioral3
- Target
  
  net8.0-windows/Astral_assets/obfuscation/obfuscation.py
- Size
  
  6KB
- MD5
  
  285744b7932bde6ca1bf8ca33534736a
- SHA1
  
  44226fba522b7deb198ac8eb98bbd148c11ae1de
- SHA256
  
  7445dc0c6dafacfe6cda1bf5ac93efb0eab39f1d1f787195c93a8d9b9d8aea75
- SHA512
  
  a27b5aa08329bd841c76a7d89872b95f12b083970c8c343973a18d8b15739d88d61f651078d4beefb954d13ef50e1db30eff549512db318257016bca7ea28f44
- SSDEEP
  
  96:BFokKZB5DqxqDxkyjAMwRw+UVt4LsevwLzRCS:BFoTqxyxHjV9nt4IevwLMS
Score

3^/10
behavioral4
- Target
  
  net8.0-windows/Astral_assets/upx/upx.exe
- Size
  
  525KB
- MD5
  
  8a98406e32ed6139bd9e75342d452948
- SHA1
  
  ed77737b88a7351d0bc5f542ddb7ce84f8f95588
- SHA256
  
  a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b
- SHA512
  
  f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b
- SSDEEP
  
  12288:fOHsWPQsJdQmiR0eYG16fyP8RHzS75CaNgMYqIW7I2:2QmiWK16rRHzS7U6ip2
Score

5^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5
- Target
  
  net8.0-windows/Guna.UI2.dll
- Size
  
  2.1MB
- MD5
  
  b429ae86c5be521bc8ca3b164cec3acb
- SHA1
  
  387560073ff5a1f2191abc6f75fc34532bbb6dd2
- SHA256
  
  3ac70532408b89159bfe235d4ed228faa03ae3fbd63ec6a82d895f287a3b0579
- SHA512
  
  eae65de53da50708983ed8ebf9e1e3dd5f9aea95a354d272e199bb59517f62bfe35f0df7a37d81ab0423d0d6d29304fa70284c731bd54023e446b2c19bacafb1
- SSDEEP
  
  24576:DgWuftU4WrNOA6sM6kXxMfNmnjk/c5NrH0UUoo2QkJXVSItH5ppoO0KzJ6nFwHQL:DA+NOpXm1mnj0cP+DkhMAiawnFV
Score

1^/10
behavioral6
- Target
  
  net8.0-windows/Newtonsoft.Json.dll
- Size
  
  695KB
- MD5
  
  adf3e3eecde20b7c9661e9c47106a14a
- SHA1
  
  f3130f7fd4b414b5aec04eb87ed800eb84dd2154
- SHA256
  
  22c649f75fce5be7c7ccda8880473b634ef69ecf33f5d1ab8ad892caf47d5a07
- SHA512
  
  6a644bfd4544950ed2d39190393b716c8314f551488380ec8bd35b5062aa143342dfd145e92e3b6b81e80285cac108d201b6bbd160cb768dc002c49f4c603c0b
- SSDEEP
  
  12288:mFIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMW:6zMTMNNd+g5Wk78GBBjgrIQtDF
Score

1^/10
behavioral7
- Target
  
  net8.0-windows/System.Management.dll
- Size
  
  72KB
- MD5
  
  1c71e5310151ce1e9a3a92797776bdad
- SHA1
  
  fd452b874fec4a9dae61a3710fb32749dc7d701e
- SHA256
  
  f515ca5c944c332ab706ff0a7c2e53e66d0d9d8a663e9b2691b35129ee22559b
- SHA512
  
  2a4f18c77449c2d06a3ab6807338f73b03b1faa332e78319829ba3a2b6fd98bb9a83c5e29b47d55e4ce7f0dfdcd8524fa592a0f3ca8ee09daae2894b681265a8
- SSDEEP
  
  768:BrEP45HksbMU3se5c/0b/9nLZV1BCUkVoV0lP7H0CkkiSLJKdbY8Mtuo0eDQP9zu:bbz5wulNV1zkSQzHxkxS9yc8no0nzu
Score

1^/10
behavioral8
- Target
  
  net8.0-windows/install-python.bat
- Size
  
  683B
- MD5
  
  d2582c98db5aad03be0d391a265f861b
- SHA1
  
  bb545f83d8d69c8a1a08cd773ddcb53689e8f57c
- SHA256
  
  44d62021bd4fa1870a45fc9f1b9bb978196987452688060a87ee97e4626fa4af
- SHA512
  
  268a5a71c70081ee8d6aa34d0a9158740712e174a70a0fac2972bd8fa812c34107ba2859d2f31391cc4b27f3f81a986160d9feb14880bdf02fe0c43567b2afbe
Score

8^/10

discovery
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral9
- Target
  
  net8.0-windows/install.bat
- Size
  
  38B
- MD5
  
  667537a1c25c3050eba77c74a343329f
- SHA1
  
  794df2143bd7bd07f9ade899d8fb1055b93236ea
- SHA256
  
  60e27d880d37915497117cecaf8919b5330ff908880451e937d4a83a8f563375
- SHA512
  
  19ec6064e8ed3ecf531bb8f051b88314c12e55dafd1380830acdf3496c3f863f8ba4dbb14a898cc4d2523846dfba5b021d4716b55781830be7fcf0bbae3dd011
Score

1^/10
behavioral10
- Target
  
  net8.0-windows/runtimes/win/lib/net7.0/System.Management.dll
- Size
  
  288KB
- MD5
  
  76e0aaa7182e77403bf6fe2af8d90f28
- SHA1
  
  d013c5d649f9ebce5bee1c8b774f3290b1f1f532
- SHA256
  
  a7e248c3e6f25f4673e2006fa77f4a4322a3c74c2652dcc395178329feb7ff28
- SHA512
  
  8e161a375fe174d9b203c2a098c92aff411d8521eef133d5174ae7409c394157f7a067c2a9dfe3f76cb02acbed52c33a11579b9a1cbee75e4092e6487d1a7bc1
- SSDEEP
  
  6144:TMbKUVLmD7HP9ab+T5sBFzPnQpEZFAc2Q:45VL2Z++tw92Q
Score

3^/10

discovery
behavioral11