General

  • Target

    https://github.com/ColossusYTTV/GorillaTag-Account-Manager/releases/download/1.0/GtagAccountManager.exe

  • Sample

    250330-elercszshv

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Extracted

Family

lokibot

C2

http://blesblochem.com/two/gates1/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      https://github.com/ColossusYTTV/GorillaTag-Account-Manager/releases/download/1.0/GtagAccountManager.exe

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    • Crimsonrat family

    • Floxif family

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Lokibot family

    • Modifies WinLogon for persistence

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzonerat family

    • Detects Floxif payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Warzone RAT payload

    • Downloads MZ/PE file

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Impair Defenses: Safe Mode Boot

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks