Overview

overview

10

Static

static

3

GTA IV Crackeado.scr

windows7-x64

10

GTA IV Crackeado.scr

windows10-ltsc 2021-x64

10

GTA IV Crackeado.scr

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gZPAx.gz

  • Size

    82KB

  • Sample

    250304-ryjmastkw5

  • MD5

    f6f64a02c9701f198ca74b21c12aa104

  • SHA1

    55db9d1d4ee2be102f687f9be2ef8e1b3c133769

  • SHA256

    c7bbae8717c7c7cc8bb665ae648f9043aa9dec077bea04859ebf6375b7786f40

  • SHA512

    fad325881cf51167bf8a31d0586800d810b6c89c4dfc8a6a6b88238cd82760839fe805f1a72cc35235ef278239cf7d68a1657b548c174ed4e1cf8959e5d143d4

  • SSDEEP

    1536:+7+v3Z5eVFH22WpNYnq4hqNkBI9vA1Sp/i3njFe2oWS8FY3uWbI1sAfa5UBTjzlS:L3gW2Wpiq40NqOooujc2ouFY33AfauhQ

Score
10/10
asyncratxoristcloud1discoverypersistenceransomwareratspywarestealerupx

Malware Config

Extracted

Family

asyncrat

Botnet

CLOUD1

C2

mst555-h63x-l-windows.sbs:8888

Attributes
  • delay

    3

  • install

    true

  • install_file

    OfficeClickToGo.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      GTA IV Crackeado.scr

    • Size

      92KB

    • MD5

      45fd5ec423b9249dadeb514183ab92ef

    • SHA1

      970d4eae78bc6c930af937293e30624837cb1be7

    • SHA256

      1fd9737a9a043e1286868cbd211bae4bf8d39e719232268624308da77e491b3e

    • SHA512

      30bc9dd43f30d50fd8301113b721cf147f5e5e4c3466cefb26aa36ed0529dccdb9473adac5bdfcba33fde4d6b8a762fec3fd67c64dfc858c13af96f588930941

    • SSDEEP

      1536:jvsBtJyPA+ITEtnnA0GX416ZW2I51wr7bepjyDAF80xVY5pp:jvsrYHI6npCQeWFLq6BCg80Ux

    Score
    10/10
    asyncratxoristcloud1discoverypersistenceransomwareratspywarestealerupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detected Xorist Ransomware

    • Xorist Ransomware

      Xorist is a ransomware first seen in 2020.

      ransomwarexorist

    • Xorist family

      xorist

    • Async RAT payload

      rat

    • Renames multiple (2200) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks