General

  • Target

    Vorthena Setup.7z

  • Size

    79.9MB

  • Sample

    250502-p6l2aatlz6

  • MD5

    d3d6ae1c48a7f031120195e5d12950f9

  • SHA1

    32920e88a746c5b6c21cc553a0beca9ee78f26ea

  • SHA256

    427fa906aa87b94e4ff264d391ba31688d5c82d9f371c897821a0faa0e00be1d

  • SHA512

    35528c92cd120351e81a176246ae39aa511621e12998d2691ae640b75b4eb6b24340e19e0e4b4e544165daec3229f7b9cdf054fd2bd6246f940197339d443fac

  • SSDEEP

    1572864:yrClTPolpn+XWGFRzSv985yP6gGDz6l3U9H/qDbQv9mJD7S/k:VTPWGaK5yP6gGDZ1obQFmJDqk

Malware Config

Targets

    • Target

      Vorthena Setup.exe

    • Size

      79.9MB

    • MD5

      c9f84246093d0715f9141addbe5bd7bc

    • SHA1

      646dfa8b5b02df4584ad6ce42f4f8b4f612a860d

    • SHA256

      53f39de0f5bd9c55c36db40186793e11b768430ab5087ed279345cf4e7f006d1

    • SHA512

      8e3dc7467129fc900e7eb704faf6200ff3acd17756da7e4c2f99c7dcd2c0413c1dc0465f05c675acf021c6d4dc5312e2de653bac613e6f0b118c1723ebc35907

    • SSDEEP

      1572864:QaRPWXKsflbPk7d04YrNrWWl7APULpKSR00FIZ8Y13gG1nKIV7:TWdk7m1WWl7APUP3u8Y1gG13V7

    • Renames multiple (194) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates processes with tasklist

    • Target

      Game.exe

    • Size

      191.0MB

    • MD5

      355bab286ea3b6f50a8807516870a9e9

    • SHA1

      8ca0add840ec253d2d98a394a1050d9225c03431

    • SHA256

      9d85e271a750ae19e54f147fdc061cf5de8ada218c9ab1c55cdee45ba16ce1e9

    • SHA512

      62274a53dce408495e95ce786df8b7b9d30239778e6270da78e1c01fd63a21b875d80aa19c565b2d453308507a6cbc5fbac292edbd080fbef5c0302e683956f0

    • SSDEEP

      1572864:xpnoNjghwW/8lxj9UNia0SUp6esGCA/Ys92JDSN01TCwaMWPwVdWeKtT4ZuBF/Ak:ciryLxW

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates processes with tasklist

MITRE ATT&CK Enterprise v16

Tasks