Overview
overview
10Static
static
10Armageddon...ty.exe
windows7-x64
8Armageddon...ty.exe
windows10-2004-x64
8Armageddon...ht.dll
windows7-x64
1Armageddon...ht.dll
windows10-2004-x64
1Armageddon...ax.dll
windows10-2004-x64
7Armageddon...ub.exe
windows7-x64
1Armageddon...ub.exe
windows10-2004-x64
1Armageddon...ip.dll
windows7-x64
1Armageddon...ip.dll
windows10-2004-x64
1Armageddon...er.exe
windows7-x64
8Armageddon...er.exe
windows10-2004-x64
8Armageddon...k1.exe
windows7-x64
1Armageddon...k1.exe
windows10-2004-x64
1Armageddon...ub.exe
windows7-x64
1Armageddon...ub.exe
windows10-2004-x64
1AttWorm/AT...ed.exe
windows7-x64
8AttWorm/AT...ed.exe
windows10-2004-x64
8AttWorm/Jint.dll
windows7-x64
1AttWorm/Jint.dll
windows10-2004-x64
1AttWorm/js.exe
windows7-x64
1AttWorm/js.exe
windows10-2004-x64
3AttWorm/sk...et.dll
windows7-x64
1AttWorm/sk...et.dll
windows10-2004-x64
1AttWorm/sk...ip.dll
windows7-x64
1AttWorm/sk...ip.dll
windows10-2004-x64
1AttWorm/sk...er.exe
windows7-x64
8AttWorm/sk...er.exe
windows10-2004-x64
8AttWorm/skci/att.exe
windows7-x64
3AttWorm/skci/att.exe
windows10-2004-x64
3Aurora Wor...1N.exe
windows7-x64
8Aurora Wor...1N.exe
windows10-2004-x64
8Aurora Wor...ip.dll
windows7-x64
1Analysis
-
max time kernel
91s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-01-2025 16:58
Behavioral task
behavioral1
Sample
Armageddon Stealer 1.0 by Krusty/Armageddon Stealer 1.0 by Krusty.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
Armageddon Stealer 1.0 by Krusty/Armageddon Stealer 1.0 by Krusty.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Armageddon Stealer 1.0 by Krusty/mfc100cht.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Armageddon Stealer 1.0 by Krusty/mfc100cht.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
Armageddon Stealer 1.0 by Krusty/mstscax.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral6
Sample
Armageddon Stealer 1.0 by Krusty/stub.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral7
Sample
Armageddon Stealer 1.0 by Krusty/stub.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral8
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Ionic.Zip.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral9
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Ionic.Zip.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral10
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Launcher.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral11
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/Launcher.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/ak1.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral13
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/ak1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/stub.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
Armageddon Stealer 1.0 by Krusty/viewsource/stub.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
AttWorm/ATTWorm Cracked.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral17
Sample
AttWorm/ATTWorm Cracked.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
AttWorm/Jint.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
AttWorm/Jint.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
AttWorm/js.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
AttWorm/js.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
AttWorm/skci/Extreme.Net.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
AttWorm/skci/Extreme.Net.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
AttWorm/skci/Ionic.Zip.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
AttWorm/skci/Ionic.Zip.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
AttWorm/skci/Launcher.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral27
Sample
AttWorm/skci/Launcher.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
AttWorm/skci/att.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral29
Sample
AttWorm/skci/att.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
Aurora Worm v1/Aurora Worm v1-Cracked by RoN1N.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral31
Sample
Aurora Worm v1/Aurora Worm v1-Cracked by RoN1N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
Aurora Worm v1/settings/Ionic.Zip.dll
Resource
win7-20241010-en
windows7-x64
General
-
Target
Armageddon Stealer 1.0 by Krusty/mstscax.dll
-
Size
7.6MB
-
MD5
f988af5ce1a34ad0f4b66492aa1526c5
-
SHA1
c8bd1ea389b50c4f5fe78164d3ea51ff5eb54a3b
-
SHA256
cac0cfe8c203c6ce5010a981bf027a71dc47167d632546dcf60bd82bc181c80d
-
SHA512
bd2f2cd977775b0aae4a7740ed23b4c2612d6d23b592ff267021605fc7a6b1db9062122dade8b070bc0917af14c71f3065eabc980cfbe8a8ddaa1b8feac7e4de
-
SSDEEP
196608:C+shPWaOzbHoMvPBGT7pwNS45sU07CSmYPB2Yruy01KbzSSaL+hXL66M8R4yhWEQ:C+shP1OzbHoMvPBGnpwNS45sTCSmYPBo
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230206-9A39-4D58-8674-CDB4DFF4E73B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230207-D6A7-11D8-B9FD-000BDBD1F198} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\ = "IWTSPluginServiceProvider" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\ProxyStubClsid32\ = "{A1230201-1439-4E62-A414-190D0AC3D40E}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230203-D6A7-11D8-B9FD-000BDBD1F198} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230203-D6A7-11D8-B9FD-000BDBD1F198}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230203-D6A7-11D8-B9FD-000BDBD1F198}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230205-D6A7-11D8-B9FD-000BDBD1F198} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\ = "IWTSBitmapRendererCallback" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1230201-1439-4E62-A414-190D0AC3D40E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A1230201-1439-4E62-A414-190D0AC3D40E}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230204-D6A7-11D8-B9FD-000BDBD1F198} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\ProxyStubClsid32\ = "{A1230201-1439-4E62-A414-190D0AC3D40E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\ProxyStubClsid32\ = "{A1230201-1439-4E62-A414-190D0AC3D40E}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230204-D6A7-11D8-B9FD-000BDBD1F198}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230206-9A39-4D58-8674-CDB4DFF4E73B}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\NumMethods\ = "6" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230206-9A39-4D58-8674-CDB4DFF4E73B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230207-D6A7-11D8-B9FD-000BDBD1F198}\NumMethods regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230205-D6A7-11D8-B9FD-000BDBD1F198}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230205-D6A7-11D8-B9FD-000BDBD1F198}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\NumMethods regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230201-1439-4E62-A414-190D0AC3D40E} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230204-D6A7-11D8-B9FD-000BDBD1F198}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\ = "IWTSBitmapRenderService" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\ProxyStubClsid32\ = "{A1230201-1439-4E62-A414-190D0AC3D40E}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B7ACC97-F3C9-46F7-8C5B-FA685D3441B1}\ = "IWTSBitmapRenderer" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D3E07363-087C-476C-86A7-DBB15F46DDB4}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA326091-05FE-40C1-B49C-3D2EF4626A0E}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D782928E-FE4E-4E77-AE90-9CD0B3E3B353}\NumMethods\ = "4" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230201-1439-4E62-A414-190D0AC3D40E}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230201-1439-4E62-A414-190D0AC3D40E}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A1230207-D6A7-11D8-B9FD-000BDBD1F198}\ProxyStubClsid32 regsvr32.exe