growtopia | af01b25f7db087fe50e3deebf5e55f8cdf9c3588d223471b4f71d9aa82fc92fd

General

Target

AJProxy.exe
Size

638KB
MD5

6dbf1564024546cf0da4bf8f35936265
SHA1

ec7b401b5222590e9116d36fb454108a09c7d6a7
SHA256

af01b25f7db087fe50e3deebf5e55f8cdf9c3588d223471b4f71d9aa82fc92fd
SHA512

0a4194bbea2b895306a505ca7e27a22fd79589b3c8e6eeae3f747a184f720e87f586d77b5fb88ed24d1447b467f972873150db92f18139d0c5f3d278b304b72d
SSDEEP

12288:h32/lChV9mf/2QRXDD1yed0fsU4GSWaOvPESGj4s32xEdRCS:h3yChVA2Q9NXw2/wPOjdGxY

Score

10^/10

growtopia discovery stealer

Malware Config

Signatures

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
Growtopia family
growtopia

Downloads MZ/PE file 1 IoCs

flow	pid	Process
51	1392	Process not Found

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/memory/1104-1-0x00000000003A0000-0x0000000000446000-memory.dmp	net_reactor

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	icanhazip.com

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AJProxy.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4280	MicrosoftEdgeUpdate.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
3516	timeout.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1104	AJProxy.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 912	1104	AJProxy.exe	94
PID 1104 wrote to memory of 912	1104	AJProxy.exe	94
PID 1104 wrote to memory of 912	1104	AJProxy.exe	94
PID 912 wrote to memory of 3516	912	cmd.exe	96
PID 912 wrote to memory of 3516	912	cmd.exe	96
PID 912 wrote to memory of 3516	912	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\AJProxy.exe
"C:\Users\Admin\AppData\Local\Temp\AJProxy.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c timeout /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\AJProxy.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3516

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
1⤵
- System Location Discovery: System Language Discovery
PID:2264

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjUzQjlFOTktNENFNy00MjYzLUEwM0QtM0JBQTEyQzc4RjU4fSIgdXNlcmlkPSJ7NzlBREZEQzQtNDA0NC00ODhELUEzRUUtQzE0ODgxN0I5RjJBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjA1MEI0QjAtMDY4Qy00NTJBLUIxOEUtRDYwREMyNzJCOEQ2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU5MjEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODE5ODA3NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MzIyODMwNTY1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
402KB

MD5
8307cbd4f25d09ff45205c0391bd5e76

SHA1
fcef1876a82fee4994727693aa53e0390a443422

SHA256
bc7ecf54a3b744099f139866d521aea01705037a635ec22b5f65adb842be59a5

SHA512
11513d56047dcc6095f3081de81df5ef4d62a5b6accf6e2d68237c329f2fe7cdd248c505086c5696aaa247a7c01ffd78a59a160f8ab95fdf85385ca1f4128ce8

Download Submit
memory/1104-0-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

Filesize
4KB

Download
memory/1104-1-0x00000000003A0000-0x0000000000446000-memory.dmp

Filesize
664KB

Download
memory/1104-2-0x0000000073F70000-0x0000000074720000-memory.dmp

Filesize
7.7MB

Download
memory/1104-4-0x0000000073F7E000-0x0000000073F7F000-memory.dmp

Filesize
4KB

Download
memory/1104-5-0x0000000005740000-0x00000000057A6000-memory.dmp

Filesize
408KB

Download
memory/1104-6-0x0000000073F70000-0x0000000074720000-memory.dmp

Filesize
7.7MB

Download
memory/1104-8-0x0000000073F70000-0x0000000074720000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing