General
-
Target
Vorthena Setup.7z
-
Size
79.9MB
-
Sample
250502-p6l2aatlz6
-
MD5
d3d6ae1c48a7f031120195e5d12950f9
-
SHA1
32920e88a746c5b6c21cc553a0beca9ee78f26ea
-
SHA256
427fa906aa87b94e4ff264d391ba31688d5c82d9f371c897821a0faa0e00be1d
-
SHA512
35528c92cd120351e81a176246ae39aa511621e12998d2691ae640b75b4eb6b24340e19e0e4b4e544165daec3229f7b9cdf054fd2bd6246f940197339d443fac
-
SSDEEP
1572864:yrClTPolpn+XWGFRzSv985yP6gGDz6l3U9H/qDbQv9mJD7S/k:VTPWGaK5yP6gGDZ1obQFmJDqk
Static task
static1
Behavioral task
behavioral1
Sample
Vorthena Setup.exe
Resource
win10ltsc2021-20250425-en
Behavioral task
behavioral2
Sample
Vorthena Setup.exe
Resource
win11-20250410-en
Behavioral task
behavioral3
Sample
Game.exe
Resource
win10ltsc2021-20250425-en
Behavioral task
behavioral4
Sample
Game.exe
Resource
win11-20250410-en
Malware Config
Targets
-
-
Target
Vorthena Setup.exe
-
Size
79.9MB
-
MD5
c9f84246093d0715f9141addbe5bd7bc
-
SHA1
646dfa8b5b02df4584ad6ce42f4f8b4f612a860d
-
SHA256
53f39de0f5bd9c55c36db40186793e11b768430ab5087ed279345cf4e7f006d1
-
SHA512
8e3dc7467129fc900e7eb704faf6200ff3acd17756da7e4c2f99c7dcd2c0413c1dc0465f05c675acf021c6d4dc5312e2de653bac613e6f0b118c1723ebc35907
-
SSDEEP
1572864:QaRPWXKsflbPk7d04YrNrWWl7APULpKSR00FIZ8Y13gG1nKIV7:TWdk7m1WWl7APUP3u8Y1gG13V7
-
Renames multiple (194) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates processes with tasklist
-
-
-
Target
Game.exe
-
Size
191.0MB
-
MD5
355bab286ea3b6f50a8807516870a9e9
-
SHA1
8ca0add840ec253d2d98a394a1050d9225c03431
-
SHA256
9d85e271a750ae19e54f147fdc061cf5de8ada218c9ab1c55cdee45ba16ce1e9
-
SHA512
62274a53dce408495e95ce786df8b7b9d30239778e6270da78e1c01fd63a21b875d80aa19c565b2d453308507a6cbc5fbac292edbd080fbef5c0302e683956f0
-
SSDEEP
1572864:xpnoNjghwW/8lxj9UNia0SUp6esGCA/Ys92JDSN01TCwaMWPwVdWeKtT4ZuBF/Ak:ciryLxW
Score8/10-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Enumerates processes with tasklist
-
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1