General

  • Target

    VorthenaSetup.7z

  • Size

    79.9MB

  • Sample

    250502-qbzvbs1tas

  • MD5

    d3d6ae1c48a7f031120195e5d12950f9

  • SHA1

    32920e88a746c5b6c21cc553a0beca9ee78f26ea

  • SHA256

    427fa906aa87b94e4ff264d391ba31688d5c82d9f371c897821a0faa0e00be1d

  • SHA512

    35528c92cd120351e81a176246ae39aa511621e12998d2691ae640b75b4eb6b24340e19e0e4b4e544165daec3229f7b9cdf054fd2bd6246f940197339d443fac

  • SSDEEP

    1572864:yrClTPolpn+XWGFRzSv985yP6gGDz6l3U9H/qDbQv9mJD7S/k:VTPWGaK5yP6gGDZ1obQFmJDqk

Malware Config

Targets

    • Target

      Vorthena Setup.exe

    • Size

      79.9MB

    • MD5

      c9f84246093d0715f9141addbe5bd7bc

    • SHA1

      646dfa8b5b02df4584ad6ce42f4f8b4f612a860d

    • SHA256

      53f39de0f5bd9c55c36db40186793e11b768430ab5087ed279345cf4e7f006d1

    • SHA512

      8e3dc7467129fc900e7eb704faf6200ff3acd17756da7e4c2f99c7dcd2c0413c1dc0465f05c675acf021c6d4dc5312e2de653bac613e6f0b118c1723ebc35907

    • SSDEEP

      1572864:QaRPWXKsflbPk7d04YrNrWWl7APULpKSR00FIZ8Y13gG1nKIV7:TWdk7m1WWl7APUP3u8Y1gG13V7

    • Renames multiple (194) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates processes with tasklist

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    • Target

      Game.exe

    • Size

      191.0MB

    • MD5

      355bab286ea3b6f50a8807516870a9e9

    • SHA1

      8ca0add840ec253d2d98a394a1050d9225c03431

    • SHA256

      9d85e271a750ae19e54f147fdc061cf5de8ada218c9ab1c55cdee45ba16ce1e9

    • SHA512

      62274a53dce408495e95ce786df8b7b9d30239778e6270da78e1c01fd63a21b875d80aa19c565b2d453308507a6cbc5fbac292edbd080fbef5c0302e683956f0

    • SSDEEP

      1572864:xpnoNjghwW/8lxj9UNia0SUp6esGCA/Ys92JDSN01TCwaMWPwVdWeKtT4ZuBF/Ak:ciryLxW

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Enumerates processes with tasklist

    • Target

      LICENSES.chromium.html

    • Size

      11.7MB

    • MD5

      45bc486db849cf8b8f0e38f34c8ff05b

    • SHA1

      f33015f0e3767e869e6e8f9ab73332fd865d77a1

    • SHA256

      13b6a0f7b308c57cbced247d9ebb8c63aa97e253bdf2f21f733ae71cf48163a5

    • SHA512

      eb2edfa0de7a84079967664039a3b2a51153d77b0d2b477e50399d75b8180690969cb6f799fd0fc480a8c4760cb206d1e8602a1b16f4c5fd4a144ccf204b673f

    • SSDEEP

      24576:y9dQc6poY6jbCjK6uwR6ETamf1jZ6ojK6QjZ6UjK6ajK64jK6cjZ6ijK6b6cjK6z:yMeGAyWPbX8me7

    Score
    4/10
    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      a7b7470c347f84365ffe1b2072b4f95c

    • SHA1

      57a96f6fb326ba65b7f7016242132b3f9464c7a3

    • SHA256

      af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

    • SHA512

      83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

    • SSDEEP

      49152:hCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRN1:oG2QCwmHjnog/pzHAo/Ayc

    Score
    1/10
    • Target

      ffmpeg.dll

    • Size

      2.9MB

    • MD5

      929482816404b0cef4164477c6235198

    • SHA1

      ff92ad7fcc5c7ea427314f225bdd7aba16bb04ed

    • SHA256

      8e0a71294245c97616a15238974c54ce372b407c042b935904765c915cd003ee

    • SHA512

      5dd326d5943309f2606b329c8068e14aa7f1872f664eaae9a0937952e21d7a5ecc6ce21ea33a6e91a1e0840489261296210e83724a2f97051e19e4982acaad81

    • SSDEEP

      49152:SJcctgGDcyjVMLp2GDv6ZHIY1LYa12wL5tRGBnlqbAuHYUftjdljoyLFc6eFLkU8:S/+mI7Dv2HIY1LoqbAuHYUftjdljoyLp

    Score
    1/10
    • Target

      libEGL.dll

    • Size

      481KB

    • MD5

      9e12dcfefc212baaccdc3498ab81b66a

    • SHA1

      f33c05f4f120239df176a7bb667a0e00a2baba64

    • SHA256

      e57d447cbef2afaab8a901e67204de837bf4bce998c06c87c1f68033afd37744

    • SHA512

      45a152c5fd896dcbfcaae72ad6e9a48402f5f5b5dbe5497b98f009b9654d81bd4f4c68a9667e04db9f712cd95954538c35a76b765e042856c37a716bf739f5b8

    • SSDEEP

      6144:EGRDfOcVCmVzOZAprcPYL1IhVzlK3sBfAPPMotBR+CfqOvNBY7p3pq88qD35:EGRzOla021eVzlKcqMUR+CfqO16VEc

    Score
    1/10
    • Target

      libGLESv2.dll

    • Size

      7.7MB

    • MD5

      e2abd4d977f12dfeec34439b79794c8e

    • SHA1

      126fa77cf857e3fb3384e232ca1fa44ddcd704f2

    • SHA256

      bcafc569fe806aa2b282c600a2ebf0984c2c7c9fd361131171788e171a3b0dad

    • SHA512

      476aef839c48ff84f2eafbaf05b242bc12d779ac525f4189e0ef47fb4a1705c1cad2b63db61d8833dda2d1fcdcc9ab89ecf15bf6b16b5b1de42c7d49e31595c8

    • SSDEEP

      98304:OtTad6d8JCdoc7PjWstHFOHuMRA4Z0lxVXbi1A6WXMlEvN/:bd6d8q1HFpM+FboEd

    Score
    1/10
    • Target

      resources/app.asar.unpacked/node_modules/@gar/promisify/index.js

    • Size

      967B

    • MD5

      e3a489bf3a07d37a8e6a679b00cc03b7

    • SHA1

      a5aa156ae6257ad645789dc0d8536a3f17bda2ab

    • SHA256

      a4fe100eb176ab95328881fe9490ac91e72d3d2992ac7fb2b9562d264156a8a3

    • SHA512

      71d4700578136443f0a95886f5205abfa05464c5a69d28adfb3b3917b993de23c002b8a3dafdcd0dacbdea7f510f313761e1737b1186edaf05be0c0fcddf79e8

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/build/index.cjs

    • Size

      10KB

    • MD5

      47dae5df7e3d5e0d94911f63b7dfcfb5

    • SHA1

      d48e8476113471b52120a1a5451a4f087c66fb0a

    • SHA256

      820aa357a7f6a022bfc3ac6ac19d1681921d0421cae898d5096423c0fb3b8607

    • SHA512

      48d10d6d7b1d82819adec345c2813b29edaff8cf10c7f5cd1c43d7b6773d2fc0a7f96f6ad157ce2f37634ca2c7607a41d8a0f24cd7f56886a2df6e6b1cbd30e2

    • SSDEEP

      192:/gFzQyF+TBn0VqDohmz8FFy/JG9jtUFhyhW6/npwzVtSvkxlIfjGcYxvkkMAyy46:/gjglSS/kT4U+/48x4Tiiq

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/build/lib/index.js

    • Size

      9KB

    • MD5

      3df08507ebeb83a522978c95a0e11631

    • SHA1

      d8ba04747a972e69c353347598653d250f644716

    • SHA256

      e67b3446f47d4a672339c99bea9e987979da9fc70f421701814cb9d52ba176ba

    • SHA512

      dd7529bfe3d73b4a9d4a6f969695218036d8cc4766872836ec814b4637c430fd7c8ce3719f2d1141965f4cb3a9f2c6bec56b79212e1e6927d8a205385f6b464b

    • SSDEEP

      192:9gFzQyF+TBn0VqDohmz8FFy/JG9jtUFhyhW6/npwzVtSvkxlIfjGcYxvkkMAyy4/:9gjglSS/kT4U+/48x4TuY

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/node_modules/ansi-regex/index.js

    • Size

      458B

    • MD5

      e43e7dd9870e775964534df28322676a

    • SHA1

      35c5880d08770abed86c1ad41d27c109c1e5cf1c

    • SHA256

      32f158884c3215c36f0e72549d022e20c5666593580b789728f969ddf61d87f6

    • SHA512

      fd69db4f09eeeefaac2db75ccacb6f8d3d7e81d1db5e66a0042fd7942cee2ff79fc8392ba837aa7f8ea1516254f3898da2531b19e31a2437b0250cef1330ff53

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/node_modules/emoji-regex/RGI_Emoji.js

    • Size

      12KB

    • MD5

      ecfe555612280520671011f810c4705f

    • SHA1

      279c292e4c45265fa06a8957fdd6e1643fdbfd3e

    • SHA256

      d02478271a0e0ba3a1753ffb2217aba4ff6852ecc6833eea880946b15103a8f9

    • SHA512

      ffc5d3058d94b9ed1a6b259f8a095363baa1c1c9809890552cb44d2887f8de1448404bbd1d515c3713173cacc9adbe2a47039f94fb908bd9a029ab805d011a59

    • SSDEEP

      96:4TtOjllm4Uh4zutkZyhRA4JUraRFsw7ZpqsFRatj9Fnkz+jmS0WVJK4m1io++Qdq:4VzTgMU4GgawCZlen

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/node_modules/emoji-regex/es2015/RGI_Emoji.js

    • Size

      13KB

    • MD5

      c356c4d646d1460f1d61617dbf60522e

    • SHA1

      780b5f3a12284f0dcc50ddfbac2611c79535c719

    • SHA256

      6ef32d4593f0f75cc80d87d49eba6c635a6ac9b5e0f8202520a6027277a7134e

    • SHA512

      7b718c09ec52375bdc321865a5230f52f038cbefff170a71d85670876e8bba34a4f36abdea8a7c07ac1c446c2f4fb681acc0e340f903c8dc2f084104adee7cde

    • SSDEEP

      192:4UyCa20qNgG/kFBEKT4BlvFuTMS8Z4wZQZotVNZl8b2vKO9XuLYRfTAkCwtU1kIN:4Vg4LYVNn8b8K+eLWD7Gxus

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/node_modules/emoji-regex/es2015/index.js

    • Size

      16KB

    • MD5

      c934d55b9f92a8d3bea1f6a87fa56533

    • SHA1

      fa44ce6a357bbf705c09e42d5cdb194f59c1e79a

    • SHA256

      8899e020a16b1d0647c6bbd84e17592f1def5e65f4818fd7c21c0f10008b04dd

    • SHA512

      90e3aec17c5d211e1c5dbe6adfe44cc2fa2306cba93c247901c00d94125037dd6473615a11c720668caca4167b7ef5de278d3c2879be8f357b9ee5d6e783f2b3

    • SSDEEP

      192:4UyCa20qNgG/kFBEKT4BlvFuTMS8Z4wZQZotVNZl8b2vKO9XuLYRfTAkCwtU1kI7:4Vg4LYVNn8b8K+eLWD7GxusJ/DdVd5

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/node_modules/emoji-regex/es2015/text.js

    • Size

      15KB

    • MD5

      12148d2dff9ca3478e4467945663fa70

    • SHA1

      50998482c521255af2760ed95bbdb1c4f7387212

    • SHA256

      1fb82c82d847ebc4aa287f481ff67c8cc9bde03149987b2d43eb0dee2a5160b6

    • SHA512

      f9f6a61af37d1924e3a9785aa04a33fa0107791d54cb07663c6ea8a68edfae3766682e914b6afaf198eb97c7f73ab53aa500b4661cdabdebd2576526664166f4

    • SSDEEP

      192:4UyCa20qNgG/kFBEKT4BlvFuTMS8Z4wZQZotVNZl8b2vKO9XuLYRfTAkCwtU1kIr:4Vg4LYVNn8b8K+eLWD7GxuzDdVm

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/node_modules/emoji-regex/index.js

    • Size

      15KB

    • MD5

      d59a0c2ebd6eea2ecde91d5d8db69597

    • SHA1

      415b8552cc069b0b51ec9a0d11e674d0d7bce944

    • SHA256

      0766305faf3d167ffd85ad6b6d52c80bfebb90187d83ea6f96ed84b583777e95

    • SHA512

      5f33674cbb42282d829e9ce33ad638996166fbd84295886ec9868242c3b3c18a685cf22cad32563c607182ead141b872f3a9d69b8608b2cf700336e1d48eade5

    • SSDEEP

      96:4TtOjllm4Uh4zutkZyhRA4JUraRFsw7ZpqsFRatj9Fnkz+jmS0WVJK4m1io++Qde:4VzTgMU4GgawCZleYwZG038y

    Score
    3/10
    • Target

      resources/app.asar.unpacked/node_modules/@isaacs/cliui/node_modules/emoji-regex/text.js

    • Size

      14KB

    • MD5

      7b33dd38c0c08bf185f5480efdf9ab90

    • SHA1

      b3d9d61ad3ab1f87712280265df367eff502ef8b

    • SHA256

      d1e41c11aa11e125105d14c95d05e1e1acd3bede89429d3a1c12a71450318f88

    • SHA512

      22da641c396f9972b136d4a18eb0747747252cf7d5d89f619a928c5475d79375fbbe42d4e91821102e271ea144f89267ff307cd46494fdf7d6002ce9768b7bd9

    • SSDEEP

      96:4TtOjllm4Uh4zutkZyhRA4JUraRFsw7ZpqsFRatj9Fnkz+jmS0WVJK4m1io++Qd2:4VzTgMU4GgawCZleT038/

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks

static1

Score
3/10

behavioral1

credential_accessdiscoveryransomwarespywarestealer
Score
9/10

behavioral2

credential_accessdiscoveryransomwarespywarestealer
Score
9/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

credential_accessdiscoveryspywarestealer
Score
8/10

behavioral8

discovery
Score
4/10

behavioral9

discovery
Score
4/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

execution
Score
3/10

behavioral15

execution
Score
3/10

behavioral16

execution
Score
3/10

behavioral17

execution
Score
3/10

behavioral18

execution
Score
3/10

behavioral19

execution
Score
3/10

behavioral20

execution
Score
3/10

behavioral21

execution
Score
3/10

behavioral22

execution
Score
3/10

behavioral23

execution
Score
3/10

behavioral24

execution
Score
3/10

behavioral25

execution
Score
3/10

behavioral26

execution
Score
3/10

behavioral27

execution
Score
3/10

behavioral28

execution
Score
3/10

behavioral29

execution
Score
3/10

behavioral30

execution
Score
3/10

behavioral31

execution
Score
3/10

behavioral32

execution
Score
3/10