Overview

overview

10

Static

static

10

Armageddon...ty.exe

windows7-x64

8

Armageddon...ty.exe

windows10-2004-x64

8

Armageddon...ht.dll

windows7-x64

1

Armageddon...ht.dll

windows10-2004-x64

1

Armageddon...ax.dll

windows10-2004-x64

7

Armageddon...ub.exe

windows7-x64

1

Armageddon...ub.exe

windows10-2004-x64

1

Armageddon...ip.dll

windows7-x64

1

Armageddon...ip.dll

windows10-2004-x64

1

Armageddon...er.exe

windows7-x64

8

Armageddon...er.exe

windows10-2004-x64

8

Armageddon...k1.exe

windows7-x64

1

Armageddon...k1.exe

windows10-2004-x64

1

Armageddon...ub.exe

windows7-x64

1

Armageddon...ub.exe

windows10-2004-x64

1

AttWorm/AT...ed.exe

windows7-x64

8

AttWorm/AT...ed.exe

windows10-2004-x64

8

AttWorm/Jint.dll

windows7-x64

1

AttWorm/Jint.dll

windows10-2004-x64

1

AttWorm/js.exe

windows7-x64

1

AttWorm/js.exe

windows10-2004-x64

3

AttWorm/sk...et.dll

windows7-x64

1

AttWorm/sk...et.dll

windows10-2004-x64

1

AttWorm/sk...ip.dll

windows7-x64

1

AttWorm/sk...ip.dll

windows10-2004-x64

1

AttWorm/sk...er.exe

windows7-x64

8

AttWorm/sk...er.exe

windows10-2004-x64

8

AttWorm/skci/att.exe

windows7-x64

3

AttWorm/skci/att.exe

windows10-2004-x64

3

Aurora Wor...1N.exe

windows7-x64

8

Aurora Wor...1N.exe

windows10-2004-x64

8

Aurora Wor...ip.dll

windows7-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Desktop.rar

  • Size

    44.9MB

  • Sample

    250118-vgv6jsykgw

  • MD5

    7e91f1ec2469daeb7583dff154869886

  • SHA1

    21f537ab56fc76dd8fe03aa5eaf074398c82bc44

  • SHA256

    714000573abb56370c1ac54a94a0b14abea8a2bfc7f2efece60b946778d87520

  • SHA512

    479080ed59f4fda7b2af2f19a62f079b5a3236c484f9ef5975668fd3f0dce08787ff43a3586075b56bfd3fb9c26219a4afb2ad13c67b1684c8ad18bbc4bba37c

  • SSDEEP

    786432:q9X4lWbcNlWbsMlWbTdlWbLKH9Tzex6qh8pHrwSyzex6qh8XyjQ7FyjQ7wrtpNrb:q9XE9okXH9Ta0liSya0lRPwr1M3jpe

Score
10/10
modiloaderdiscoveryexecutionpersistenceprivilege_escalationupx

Malware Config

Targets

    • Target

      Armageddon Stealer 1.0 by Krusty/Armageddon Stealer 1.0 by Krusty.exe

    • Size

      436KB

    • MD5

      30b064d68ff6227419e29ddf0f5a81f3

    • SHA1

      f8e9b737b0350e93bf8b2d41479c0c9d00249cca

    • SHA256

      2c76e53d24f76b91c33a3cafefaa7100e590f433305f954f3233c56a8edaf9bd

    • SHA512

      579a9b5a8be8fb65fa3c34d2ac7c6e7e4943a2053897cf223419ea4936f0bc7a6469e2c57998a7b1ddd61f8b63dff0ed078ba993b6822b5c3d34c1c96e9d9bcc

    • SSDEEP

      3072:04lCFLQ666C66G666i666o666y666B66c666G66f666+666u6669p666366o6663:06CFgXtwJ3xjpfVKWMy

    Score
    8/10
    discoveryexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      Armageddon Stealer 1.0 by Krusty/mfc100cht.dll

    • Size

      36KB

    • MD5

      61a56eb574daa6ceab692f98be3e5bb6

    • SHA1

      b52aa36e1a2594fe0ac97ee0b867df822d223b76

    • SHA256

      928f0528706576c2f7211e98462e87e03bfc14eb7a84ca3531f45ce1d9f080a3

    • SHA512

      0b787be453e7d55b810e3075ab96e9f07a7f4a10d34c9082f17c26db0578a7199ddfccf1749c87c97541f9484908e59b1a237361b92123f98880dc5835173124

    • SSDEEP

      384:m1cPmgt96DteT9X2IEI41W4WA1G/7kn4TJgUqJgM3KbgkE3H+iihZ2+10vq0GftC:muufpTVI4P+7kn4TJVM3i/EhK2iex

    Score
    1/10
    behavioral3behavioral4

    • Target

      Armageddon Stealer 1.0 by Krusty/mstscax.dll

    • Size

      7.6MB

    • MD5

      f988af5ce1a34ad0f4b66492aa1526c5

    • SHA1

      c8bd1ea389b50c4f5fe78164d3ea51ff5eb54a3b

    • SHA256

      cac0cfe8c203c6ce5010a981bf027a71dc47167d632546dcf60bd82bc181c80d

    • SHA512

      bd2f2cd977775b0aae4a7740ed23b4c2612d6d23b592ff267021605fc7a6b1db9062122dade8b070bc0917af14c71f3065eabc980cfbe8a8ddaa1b8feac7e4de

    • SSDEEP

      196608:C+shPWaOzbHoMvPBGT7pwNS45sU07CSmYPB2Yruy01KbzSSaL+hXL66M8R4yhWEQ:C+shP1OzbHoMvPBGnpwNS45sTCSmYPBo

    Score
    7/10
    persistenceprivilege_escalation

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation
    behavioral5

    • Target

      Armageddon Stealer 1.0 by Krusty/stub.arm

    • Size

      220KB

    • MD5

      03c537a05e9e03183d704d92f1dc7c55

    • SHA1

      3bb285d4d81302719003abd91ad1a05005120963

    • SHA256

      d1228fc20ffdaeb7c9463fd5fc16e3a2f003be88d3f8b7f3caa05f284f4426b2

    • SHA512

      47c6e1d9ebbcb5a867108f0a53f326eb778ad3a2faec52ef35bf05c31c4a3a97de78eff010a2553df348e82f9fe90c18a07549a72ac721f01e0387633a4dd581

    • SSDEEP

      3072:KxngmMy0K+UF6J+p7ndo3gL4PRDDJF6UPRVuWxkyotnNbQJVWZ46bkgzMX:egmMy0K+UF6J+p7ndo3gL4PR/7JAH

    Score
    1/10
    behavioral6behavioral7

    • Target

      Armageddon Stealer 1.0 by Krusty/viewsource/Ionic.Zip.dll

    • Size

      480KB

    • MD5

      f6933bf7cee0fd6c80cdf207ff15a523

    • SHA1

      039eeb1169e1defe387c7d4ca4021bce9d11786d

    • SHA256

      17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89

    • SHA512

      88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6

    • SSDEEP

      6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9

    Score
    1/10
    behavioral8behavioral9

    • Target

      Armageddon Stealer 1.0 by Krusty/viewsource/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    8/10
    discoveryexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral10behavioral11

    • Target

      Armageddon Stealer 1.0 by Krusty/viewsource/ak1.exe

    • Size

      1.2MB

    • MD5

      04db22887e319c4e0c98cf8427d88832

    • SHA1

      c76ad26bcf0093a87f96c967420846ee22273c68

    • SHA256

      f9e89b585abc0802fae71ae0bceab5a4fb9e2b7f07585c70c6ae51556b27b55e

    • SHA512

      68310e7faedd262000a32d844a6a0d76d442fcb49d1fb426330fae80e7164445d9700da3bbd1df32106afbf0fdf0bccda958c94a7c72c9337c04aa958e4633d6

    • SSDEEP

      24576:d0ESdQpglO1CxDyawn27h+9hrlgKQY9SGcZwCdTpcHi2TY:d0RIglO1CuL9VNcaCd9cH7Y

    Score
    1/10
    behavioral12behavioral13

    • Target

      Armageddon Stealer 1.0 by Krusty/viewsource/stub.arm

    • Size

      220KB

    • MD5

      03c537a05e9e03183d704d92f1dc7c55

    • SHA1

      3bb285d4d81302719003abd91ad1a05005120963

    • SHA256

      d1228fc20ffdaeb7c9463fd5fc16e3a2f003be88d3f8b7f3caa05f284f4426b2

    • SHA512

      47c6e1d9ebbcb5a867108f0a53f326eb778ad3a2faec52ef35bf05c31c4a3a97de78eff010a2553df348e82f9fe90c18a07549a72ac721f01e0387633a4dd581

    • SSDEEP

      3072:KxngmMy0K+UF6J+p7ndo3gL4PRDDJF6UPRVuWxkyotnNbQJVWZ46bkgzMX:egmMy0K+UF6J+p7ndo3gL4PR/7JAH

    Score
    1/10
    behavioral14behavioral15

    • Target

      AttWorm/ATTWorm Cracked.exe

    • Size

      206KB

    • MD5

      65173345032c2910ed0e8ad3361be38c

    • SHA1

      396fd05f6f867e1de7aef2a92065f7f901f6c8ce

    • SHA256

      713f8d4ead380959fe809e0be9915fccd282d25d0ca22092f8cb3cd2568b15a1

    • SHA512

      55478c8b238a76a37a2a52b36d90aefc5a6620459851c84f1b1108765b076dae21039ddafa130bb9265ba95ced8f0eb6365217a822812c202cc82d5a5a142a28

    • SSDEEP

      3072:T4lNncqsLPc20jV9yI95qeeeRUeeeO41DMf6RNYZVyZVijCvu:T6NcqiPc9jn9ueeeRUeeeOgvY6

    Score
    8/10
    discoveryexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral16behavioral17

    • Target

      AttWorm/Jint.dll

    • Size

      244KB

    • MD5

      734c5ce8f9b104d8ad3c7b494e96f9b9

    • SHA1

      184cd4152b1b65d9531867b06c2e1c215fb872f1

    • SHA256

      ed618668ae9e7c02c7c2b7332dd09079168cca96432a051044683c996337001c

    • SHA512

      1e3ac0649e3b7bf9e97681aa7b1346aa44afe96d8c86fc77a6e002b8cf5b14b1a57f19f669ed0d4ae9a94d3f65d4eefa99dcffcf5d74afc8731f913c9c9f79d6

    • SSDEEP

      3072:hE1DupDOGfyKkpsZa27k5t0f5jjBWV239UDjRFAkqYL36ZmvYYGUaKTUCRaikNrJ:hjyQlGunmvjPa2vRQrXPHNQHsq5+L

    Score
    1/10
    behavioral18behavioral19

    • Target

      AttWorm/js.exe

    • Size

      1021KB

    • MD5

      4496891e5fbe826ebf237997230be371

    • SHA1

      66b869076903aec862690593e6f6500e998694f3

    • SHA256

      8cc835e500665935d80c8fed08dbd0abe99ece5e3e0b7b851e5caf1da6a94e83

    • SHA512

      54e73013234e43ba3ed4e246354f2baa9dfd9cbf4778a7b678237ee912d5ad0475ce8a3eec2e468c2edb32faa8b7869e4934b96c082fde4c2a659f4700201004

    • SSDEEP

      24576:bwhbC1W63iSYrxyMzh7fOXvlSzReeSd13Bqvk:2C1ZyWuZS3Bd

    Score
    3/10
    discovery
    behavioral20behavioral21

    • Target

      AttWorm/skci/Extreme.Net.dll

    • Size

      120KB

    • MD5

      4bd4346716370386491d6ebc4438b69d

    • SHA1

      7ba0238a2d9c44d0d17d8ad4b32c011b77d23624

    • SHA256

      155e446000555c8edac8304cef99c2cd54e8267981f1482d14a69c66575e6551

    • SHA512

      930d20a9e260f3d56a4621e884786999fc51cae9d63372d5bd88edb928dc384f97e3ba33fe5dde9eb0e09f558554950210c6d21d7f32606f79c976988c09aedf

    • SSDEEP

      3072:XRcoVeEY6IxYiXGaRwD0YKCGjNXqMG4ih3lbpr:XuoVeEYgOnS

    Score
    1/10
    behavioral22behavioral23

    • Target

      AttWorm/skci/Ionic.Zip.dll

    • Size

      480KB

    • MD5

      f6933bf7cee0fd6c80cdf207ff15a523

    • SHA1

      039eeb1169e1defe387c7d4ca4021bce9d11786d

    • SHA256

      17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89

    • SHA512

      88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6

    • SSDEEP

      6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9

    Score
    1/10
    behavioral24behavioral25

    • Target

      AttWorm/skci/Launcher.exe

    • Size

      53KB

    • MD5

      c6d4c881112022eb30725978ecd7c6ec

    • SHA1

      ba4f96dc374195d873b3eebdb28b633d9a1c5bf5

    • SHA256

      0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32

    • SHA512

      3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981

    • SSDEEP

      768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5

    Score
    8/10
    discoveryexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral26behavioral27

    • Target

      AttWorm/skci/att.exe

    • Size

      251KB

    • MD5

      e4eed29dd468222723ce4281beb497b2

    • SHA1

      670a2b409e3b2be3145c2a1409f3483d1f143302

    • SHA256

      881cb0fb1d8fc32e7cc636c40602a189101f20f5926a7618658453b2d9318d63

    • SHA512

      297effe85c3d1f0e0f040fb10308a7ff29d2a0f30fd72559d02af94f01ed7097603afe9599da6908fd600a7a874ce58b19271553884d10aa6462c118ddb1703e

    • SSDEEP

      3072:1mSN+RTX2EO3FgZCkUlXtzFFi/1E1udxFxOq5JYAI:1B+TkgZCV9zf8d7JI

    Score
    3/10
    discovery
    behavioral28behavioral29

    • Target

      Aurora Worm v1/Aurora Worm v1-Cracked by RoN1N.exe

    • Size

      237KB

    • MD5

      6a71cad17a9f7abc8e54a04b6bb1d856

    • SHA1

      8f463222f8a67f7528e55b67be94f08b0bee1f41

    • SHA256

      9e2390d59fd9fdc2dfdae87d7abb64b550846d7b68e7908803920fd8863f47e8

    • SHA512

      1f9d3390db132d49bdc523b8587a46f217cac5633058f2bbcf58ec55ddbadbf139556ba4a57e9c997672e859f3df79f948568903355fefb942143387eb6bc81b

    • SSDEEP

      3072:L4lPEkV6jW+tKFh36Lv+GSBADfBZRBadxlv:L6PZMrETGmALon

    Score
    8/10
    discoveryexecutionpersistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral30behavioral31

    • Target

      Aurora Worm v1/settings/Ionic.Zip.dll

    • Size

      480KB

    • MD5

      f6933bf7cee0fd6c80cdf207ff15a523

    • SHA1

      039eeb1169e1defe387c7d4ca4021bce9d11786d

    • SHA256

      17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89

    • SHA512

      88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6

    • SSDEEP

      6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9

    Score
    1/10
    behavioral32

MITRE ATT&CK Enterprise v15

Tasks

static1

upxmodiloader
Score
10/10

behavioral1

discoveryexecutionpersistence
Score
8/10

behavioral2

discoveryexecutionpersistence
Score
8/10

behavioral3

Score
1/10

behavioral4

Score
1/10

behavioral5

persistenceprivilege_escalation
Score
7/10

behavioral6

Score
1/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

discoveryexecutionpersistence
Score
8/10

behavioral11

discoveryexecutionpersistence
Score
8/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

discoveryexecutionpersistence
Score
8/10

behavioral17

discoveryexecutionpersistence
Score
8/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

discovery
Score
3/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

discoveryexecutionpersistence
Score
8/10

behavioral27

discoveryexecutionpersistence
Score
8/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discoveryexecutionpersistence
Score
8/10

behavioral31

discoveryexecutionpersistence
Score
8/10

behavioral32

Score
1/10