Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-01-2025 16:58
General
-
Target
Armageddon Stealer 1.0 by Krusty/Armageddon Stealer 1.0 by Krusty.exe
-
Size
436KB
-
MD5
30b064d68ff6227419e29ddf0f5a81f3
-
SHA1
f8e9b737b0350e93bf8b2d41479c0c9d00249cca
-
SHA256
2c76e53d24f76b91c33a3cafefaa7100e590f433305f954f3233c56a8edaf9bd
-
SHA512
579a9b5a8be8fb65fa3c34d2ac7c6e7e4943a2053897cf223419ea4936f0bc7a6469e2c57998a7b1ddd61f8b63dff0ed078ba993b6822b5c3d34c1c96e9d9bcc
-
SSDEEP
3072:04lCFLQ666C66G666i666o666y666B66c666G66f666+666u6669p666366o6663:06CFgXtwJ3xjpfVKWMy
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Drops file in Windows directory 9 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\Armageddon Stealer 1.0 by Krusty.exe"C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\Armageddon Stealer 1.0 by Krusty.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\Launcher.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IMF\Windows Services.exe"C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\IMF\Secure System Shell.exe"C:\Windows\IMF\Secure System Shell.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\IMF\Runtime Explorer.exe"C:\Windows\IMF\Runtime Explorer.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Users\Admin\AppData\Roaming\5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\ak1.exe"C:\Users\Admin\AppData\Local\Temp\Armageddon Stealer 1.0 by Krusty\viewsource\ak1.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
64B
MD52bb158a0e6a40f9500860738e4ef9ed2
SHA19fb78524b7c34ea51d7a2771b877fc71f7b428ce
SHA256936ea53d3821d87b44b950a580285b1456ad7144c55aa2782dcc931f2b346c92
SHA512c3f35acb5d542205eecfccbd83ed14329e12a5cfe6c5b9fbed7fd94983eedfe350a6fdbdd72ce3b125aa86ff865257b7c25ecfb5b4cff02f39da02a2df58ef1f
-
Filesize
88B
MD52cf0925c2ad295d8c07760fa26108596
SHA1ca25244b44bf670c9acc84903e857be0ac8dedf7
SHA256e6b83e1f946a57dc10a3ef452d65c9c4d38beec6ccbf4e069836c38448a894c3
SHA512fbb94c85f5fbb42b69362189dc29caa6ca46d05dde5a6407f73424a2cbb054b92edb368a171998fd440ed9d5c28692013874aa3d9b1aa1336bb0dd8ef3ef0832
-
Filesize
101B
MD5d0fb983b03f4ffa027c51dab7544c259
SHA1dcfe29534ab26129188506e4e80aceb9f9c9e166
SHA256c10db787797dc1a2c6b092b10174695990d471c593f56599f2db076a56a507f3
SHA5125025a8c2a797b4c14ff0b9ed22c66873094d02203b62dd50f59c68e54f780765858d1ffec74575b717055727292d105792a63bf87c91a43817ea2e0974312fc5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
152KB
MD503f5e0141f4519f0c5ac26ce0b036a0f
SHA14f7a2a230e7a194a898cc9f2d563ac8777fe99c0
SHA25678a408c628e33e3332645f480ee7ce01b5dc24fc96cf16ffa0868d43f3d421ef
SHA51286a68f040654006e06b51c5714e0d7168d0d1bef7f3c39843632068104f773f771d21be4bc251d712f3e915cd1058f89ad31d9e3f3d9e7cf6da6785cbf22d8d7
-
Filesize
45KB
MD57d0c7359e5b2daa5665d01afdc98cc00
SHA1c3cc830c8ffd0f53f28d89dcd9f3426be87085cb
SHA256f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809
SHA512a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407
-
Filesize
46KB
MD5ad0ce1302147fbdfecaec58480eb9cf9
SHA1874efbc76e5f91bc1425a43ea19400340f98d42b
SHA2562c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3
SHA512adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53
-
Filesize
68KB
-
Filesize
304KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
80KB
-
Filesize
56KB
-
Filesize
600KB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
6.5MB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
652KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
200KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
504KB
-
Filesize
80KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
4.8MB
-
Filesize
32KB
-
Filesize
664KB
-
Filesize
384KB
-
Filesize
584KB
-
Filesize
464KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
80KB
-
Filesize
68KB
-
Filesize
652KB
-
Filesize
72KB
-
Filesize
72KB