MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Growtopia


Vendor detections: 11


Intelligence 11 IOCs YARA 31 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2
SHA3-384 hash: 3d62cff187cbe9732cd52a2f3ae4e0a93c27c69b97c5ec4c7fb8a19283eb1497785ac98040ef6f7bdd1796bda83c8d3e
SHA1 hash: b04810bcad458b6771d4f8430033a6e608a1324b
MD5 hash: a92c1499dbcfff3bc5b57853f6219eec
humanhash: solar-quebec-juliet-potato
File name:file
Download: download sample
Signature Growtopia
Create hunting rule
File size:39'040'103 bytes
First seen:2024-11-03 19:57:43 UTC
Last seen:2024-11-05 10:37:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f0486e7e054aa57188c99b0f71783b75 (3 x NodeLoader, 2 x LummaStealer, 1 x DiscordTokenStealer)
ssdeep 393216:RQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mg396l+ZArYsFRlrN2:R3on1HvSzxAMN3FZArYs+PvAX7OZ0i
TLSH T13887AE03B2A501E5E4B7D1388AA75203D772B8674731CACF325D02161FBBAE09A7F765
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon f89efcf8f971f2e0 (9 x NodeLoader, 6 x Amadey, 6 x Plugx)
Reporter Bitsight
Tags:exe growtopia


Avatar
Bitsight
url: http://documentreviewone.com/notes/document.exe

Intelligence

File Origin
# of uploads :
27
# of downloads :
1'183
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-03 20:35:29 UTC
Tags:
discord arch-doc
Link:
https://app.any.run/tasks/fcf71f61-86e1-4323-a4b9-8632e2931e53

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6727d5d78d23d9049133303c
Tags:
powershell gumen
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a file in the system32 directory
Deleting a recently created file
Creating a file
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Launching a process
DNS request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Reading critical registry keys
Connection attempt
Sending a custom TCP request
Creating a file in the %AppData% subdirectories
Creating a file in the Windows subdirectories
Creating a window
Сreating synchronization primitives
Moving a recently created file
Modifying a system file
Blocking the User Account Control
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Launching a tool to kill processes
Setting a single autorun event
Adding an exclusion to Microsoft Defender
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2
Result
Verdict:
MALICIOUS
Result
Threat name:
Growtopia
Create hunting rule
Detection:
malicious
Classification:
spyw.expl.evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1548094
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Detected generic credential text file
Disables UAC (registry)
Loading BitLocker PowerShell Module
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548094 Sample: file.exe Startdate: 03/11/2024 Architecture: WINDOWS Score: 100 150 www.python.org 2->150 152 dualstack.python.map.fastly.net 2->152 154 discord.com 2->154 172 Sigma detected: WScript or CScript Dropper 2->172 174 AI detected suspicious sample 2->174 176 Sigma detected: Dot net compiler compiles file from suspicious location 2->176 178 3 other signatures 2->178 14 file.exe 85 2->14         started        19 wscript.exe 2->19         started        21 wscript.exe 2->21         started        23 svchost.exe 2->23         started        signatures3 process4 dnsIp5 158 dualstack.python.map.fastly.net 151.101.0.223, 443, 49741 FASTLYUS United States 14->158 160 discord.com 162.159.137.232, 443, 49740, 49776 CLOUDFLARENETUS United States 14->160 142 C:\Users\user\AppData\...\QG6zSrhW7q.ps1, ASCII 14->142 dropped 144 C:\Users\user\AppData\Local\...\Li4l3Mf0b6.py, Python 14->144 dropped 146 C:\Users\user\AppData\Local\...\webdata.db, SQLite 14->146 dropped 148 9 other files (7 malicious) 14->148 dropped 164 Adds a directory exclusion to Windows Defender 14->164 166 Detected generic credential text file 14->166 25 cmd.exe 1 14->25         started        28 cmd.exe 14->28         started        30 cmd.exe 1 14->30         started        36 16 other processes 14->36 168 Windows Scripting host queries suspicious COM object (likely to drop second stage) 19->168 170 Suspicious execution chain found 19->170 32 file.exe 19->32         started        34 file.exe 21->34         started        162 127.0.0.1 unknown unknown 23->162 file6 signatures7 process8 signatures9 204 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 25->204 206 Suspicious powershell command line found 25->206 208 Uses cmd line tools excessively to alter registry or file data 25->208 212 2 other signatures 25->212 38 powershell.exe 22 25->38         started        42 WMIC.exe 28->42         started        44 reg.exe 30->44         started        46 cmd.exe 32->46         started        48 conhost.exe 32->48         started        50 cmd.exe 34->50         started        52 conhost.exe 34->52         started        210 Adds a directory exclusion to Windows Defender 36->210 54 getmac.exe 36->54         started        56 13 other processes 36->56 process10 file11 134 C:\Users\user\AppData\...\poruey3k.cmdline, Unicode 38->134 dropped 186 Queries memory information (via WMI often done to detect virtual machines) 38->186 188 Writes or reads registry keys via WMI 38->188 58 csc.exe 3 38->58         started        190 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 42->190 192 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 42->192 194 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 42->194 196 Disables UAC (registry) 44->196 198 Suspicious powershell command line found 46->198 61 powershell.exe 46->61         started        63 powershell.exe 50->63         started        200 Creates autostart registry keys with suspicious values (likely registry only malware) 56->200 202 Loading BitLocker PowerShell Module 56->202 signatures12 process13 file14 136 C:\Users\user\AppData\Local\...\poruey3k.dll, PE32 58->136 dropped 65 cvtres.exe 1 58->65         started        67 file.exe 61->67         started        72 file.exe 63->72         started        process15 dnsIp16 156 151.101.192.223, 443, 49777, 49784 FASTLYUS United States 67->156 118 C:\ProgramData\Steam\...\Passwords.txt, ASCII 67->118 dropped 120 C:\ProgramData\Steam\...behaviorgraphoogle_Default.txt, ASCII 67->120 dropped 122 C:\ProgramData\Steam\Launcher\...\Cards.txt, ASCII 67->122 dropped 124 C:\ProgramData\Steam\...\Autofills.txt, ASCII 67->124 dropped 180 Adds a directory exclusion to Windows Defender 67->180 182 Detected generic credential text file 67->182 74 cmd.exe 67->74         started        77 cmd.exe 67->77         started        79 cmd.exe 67->79         started        87 7 other processes 67->87 126 C:\Users\user\AppData\Local\...\jQ78ZC5AUW.py, Python 72->126 dropped 128 C:\ProgramData\Steam\...\Passwords.txt, ASCII 72->128 dropped 130 C:\ProgramData\Steam\...behaviorgraphoogle_Default.txt, ASCII 72->130 dropped 132 2 other malicious files 72->132 dropped 184 Tries to harvest and steal browser information (history, passwords, etc) 72->184 81 cmd.exe 72->81         started        83 cmd.exe 72->83         started        85 cmd.exe 72->85         started        89 2 other processes 72->89 file17 signatures18 process19 signatures20 214 Uses cmd line tools excessively to alter registry or file data 74->214 91 reg.exe 74->91         started        93 reg.exe 77->93         started        95 powershell.exe 79->95         started        97 powershell.exe 81->97         started        99 tasklist.exe 83->99         started        101 tasklist.exe 85->101         started        103 tasklist.exe 87->103         started        107 3 other processes 87->107 105 powershell.exe 89->105         started        process21 process22 109 csc.exe 95->109         started        112 csc.exe 97->112         started        file23 138 C:\Users\user\AppData\Local\...\b4ziiufs.dll, PE32 109->138 dropped 114 cvtres.exe 109->114         started        140 C:\Users\user\AppData\Local\...\auhqn5rh.dll, PE32 112->140 dropped 116 cvtres.exe 112->116         started        process24
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2
Gathering data
Threat name:
Win64.Trojan.Hydra
Create hunting rule
Status:
Malicious
First seen:
2024-11-03 20:01:28 UTC
File Type:
PE+ (Exe)
Extracted files:
17
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wteeyu7igsepsubeuizalwvpeh6pw6zrd52s6zex7pmmmzkwchra._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion execution persistence spyware stealer trojan
Link:
https://tria.ge/reports/241103-ypt51atcqm/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops file in Windows directory
An obfuscated cmd.exe command-line is typically used to evade detection.
Drops file in System32 directory
Enumerates processes with tasklist
Adds Run key to start application
Blocklisted process makes network request
Checks installed software on the system
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
UAC bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/14e6edf4-cf19-49de-957c-ddfb37d4b0ee
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202409_html_FedEx_phish
Create hunting rule
Author:abuse.ch
Description:Detects potential HTML FedEx phishing forms
Rule name:APT_Bitter_ZxxZ_Downloader
Create hunting rule
Author:SECUINFRA Falcon Team (@SI_FalconTeam)
Description:Detects Bitter (T-APT-17) ZxxZ Downloader
Reference:https://www.secuinfra.com/en/techtalk/whatever-floats-your-boat-bitter-apt-continues-to-target-bangladesh
Rule name:attack_India
Create hunting rule
Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Glasses
Create hunting rule
Author:Seth Hardy
Description:Glasses family
Rule name:GlassesCode
Create hunting rule
Author:Seth Hardy
Description:Glasses code features
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Mimikatz_Generic
Create hunting rule
Author:Still
Description:attempts to match all variants of Mimikatz
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Pkg
Create hunting rule
Author:nwunderly
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Growtopia

Executable exe b4c84c53e83488f95024a23205daaf21fcfb7b311f752f6497fbd8c6655611e2

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3274531/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::GetSecurityInfo
ADVAPI32.dll::SetEntriesInAclA
ADVAPI32.dll::SetSecurityInfo
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeGetTime
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateRemoteThread
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::CreateFiber
KERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::FillConsoleOutputAttribute
KERNEL32.dll::FillConsoleOutputCharacterW
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::WriteConsoleInputW
KERNEL32.dll::ReadConsoleInputW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::ReadConsoleA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingA
KERNEL32.dll::CreateFileMappingW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::GetUserNameW
WIN_BCRYPT_APICan Encrypt Filesbcrypt.dll::BCryptGenRandom
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertDuplicateCertificateContext
CRYPT32.dll::CertEnumCertificatesInStore
CRYPT32.dll::CertFindCertificateInStore
CRYPT32.dll::CertFreeCertificateContext
CRYPT32.dll::CertGetCertificateContextProperty
CRYPT32.dll::CertOpenStore
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegGetValueW
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::FreeAddrInfoW
WS2_32.dll::getaddrinfo
WS2_32.dll::GetAddrInfoW
WS2_32.dll::GetHostNameW
WS2_32.dll::getnameinfo
WS2_32.dll::GetNameInfoW

Comments