General

  • Target

    check.zip

  • Size

    30MB

  • Sample

    201124-6hr6gmxmaj

  • MD5

    cc66703c4c2159ba40b7c26848eb75c3

  • SHA1

    0b0728546b2b79bbc4e5e304ce0013f1be41acf6

  • SHA256

    328449250e95af61e5e92254665d4c1a43d835482cd2d159c1e8a08a1ad8c725

  • SHA512

    f0f6e043ae8fb93a2cd51e56dbc33e92d0431106db7643f6d2364b6641ebf527849d6ffb282cb62d610bfea008b63af6dfc37fbbd84e39c8a7b7d8bdaf0888fb

Malware Config

Extracted

Family

anubis

C2

http://ktosdelaetskrintotpidor.com

http://sositehuypidarasi.com

Targets

    • Target

      197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a

    • Size

      5MB

    • MD5

      6314c3ecbae10e28e206833b129fe3eb

    • SHA1

      a06bcacec00cd8547b51235d4d16439427f3adf0

    • SHA256

      197f0e170fac2b8c5f1b79d1865ce25f95f4b1a45408b091b5741710a3d9e32a

    • SHA512

      68a61b1ef9ce13edb0986ede5d1f6355b27ca3d59768fc83b66c78e8d4e6248b222f12e178389f544df853616078122d1af96aaaadd34001b10189c246cad918

    Score
    9/10
    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • JavaScript code in executable

    • Drops file in System32 directory

    • Modifies service

    • Target

      302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956

    • Size

      381KB

    • MD5

      7b0ac7978252ea290cef2a29504e3afc

    • SHA1

      6061b058b899a283cc25dcec0864036b04b1e191

    • SHA256

      302d77c6ec68c07741be2ae0d0c26bc88c85f525c8e3766ebf23dba34802f956

    • SHA512

      89dfa42516d28168a65a39b6b5429597be80222da78c8581bcf5b9e7b9cadf47c8f69a43e33118e8b286d683fdd52bf61744cb84039d94c1dbf60376a80fe52e

    Score
    8/10
    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d

    • Size

      5MB

    • MD5

      6566030bb1580c5a347d925bfc280439

    • SHA1

      31a8a4fb514cef40af7cd8cfbab1b568aff56d73

    • SHA256

      466d872ddb9f8ce7db8d16d171b9ba398f99c98c79e63396760cda7426d9460d

    • SHA512

      da565d4f38807d170fe34a4523327958ffc56801b91f29471c815f3e7d133699e305360a0abdd508ba95d81a85ed01fea73f0c397d642fed2de05b4a90ccb76f

    • Modifies Windows Defender Real-time Protection settings

    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Target

      6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4

    • Size

      1MB

    • MD5

      25ca92613089d713e77e03140bfc2e46

    • SHA1

      3918be6a75063293154ab39e8a8735bd79283213

    • SHA256

      6d13a07022cd549f981cc929795c9c1b18c424a0faff27c1faa8990ca843c6f4

    • SHA512

      106e96f3f312efe0c01a5784c35e766cfb6a8c1b50da876accbe92120ec84a579aab81651233b1c68492ba17f0860b2c18ef93203f50298aa56ec6c8862f4ba5

    Score
    8/10
    • Blacklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef

    • Size

      47KB

    • MD5

      5db68bb58a06af694c3889b60773fe56

    • SHA1

      300d02833757da7c83b0164b5c45562ebc6f41f7

    • SHA256

      8c1d1de824c079bfec155f05b5f24fd4e1c64c015286ac417b3a587124d743ef

    • SHA512

      521fdc93d49268fad1f6c314240fe3615d2de2e2058e4672c08a8f2f22b76c4bcb93a41286268ca8d5db1c42dd700f5c98f04b29ac0032409ea15b77239ec86b

    Score
    1/10
    • Target

      a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8

    • Size

      1MB

    • MD5

      0d2152118cc580db3dce7244c9ba9663

    • SHA1

      8163955d3a9eb5e8be460da5b0a3b0d1fe8a3191

    • SHA256

      a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8

    • SHA512

      a8eb6ad994e9a1e26a37303cfee1ebd1ad58996909c12819daed19529d1c00c31e5c391362d48a9d4f10bec52c601326b4c0b06d7986cd2bc6bbe29b4abf0e5a

    Score
    9/10
    • ServiceHost packer

      Detects ServiceHost packer used for .NET malware

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

    • Target

      a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d

    • Size

      590KB

    • MD5

      6611edb58235884e8499d12cdfa808be

    • SHA1

      7d1f2d13c59930dbb8e2547f3748215da9f20ee9

    • SHA256

      a3802c3a0538d8b24b8a43144c51e742b0041e3b983b654ee19639359c42b06d

    • SHA512

      283769a041c725cfca6501b47979d8a51695535f701dca45d0c444a5e0d903e40a19ca98adc26f54998f2a4c27b9772bd821196c19f2b6ba485c837d79c803c2

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • AgentTesla Payload

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies service

    • Suspicious use of SetThreadContext

    • Target

      af82bed2c58c403908faf323310cf6a65a7e3bfe098cc930eb5ac4bfe9315ef4

    • Size

      4MB

    • MD5

      64b831a358118f5d8b20f4c5b78e8123

    • SHA1

      acfbaf82579235d4e404875ac9bbb2b299f85f88

    • SHA256

      af82bed2c58c403908faf323310cf6a65a7e3bfe098cc930eb5ac4bfe9315ef4

    • SHA512

      4cc96bca1a539af4cdbd3928ea2e7ecc8d3eed4806a7a04c4e4e77830f891d9f889392cd819a16bfcacfb4a8ca77c6da5d35e02bfbb17facceb44bbce5f1e90c

    • Anubis banker

      Android banker that uses overlays.

    • Removes its main activity from the application launcher

    • Loads dropped Dex/Jar

      Runs executable file dropped to the device during analysis.

    • Target

      c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536

    • Size

      965KB

    • MD5

      613eb0c25564d774d81d1e4a96fd49b4

    • SHA1

      39517f6689a4fc87df0b014fd163a2d291379e8f

    • SHA256

      c6c0d4969ac74cdc574fae3ace12a4ad64858ec5ab292733ae78fd3d04696536

    • SHA512

      b8caa329c7ce7cd18a9fee3201bd3da8ba531e88e9049ff93c0dde4c198569a17debda7388c652d2bb486f71a7612fd709e52642ce68406791ec6114030aee0a

    Score
    1/10
    • Target

      d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a

    • Size

      239KB

    • MD5

      81d7a6eec2c3da4dce4f42469e7d7379

    • SHA1

      d0441919a11fcf12e937b674ed79529f5de62db1

    • SHA256

      d92ef7281e3b5145835ffa17ff869c5569011ffb9ad327eeecfddebe31cdc31a

    • SHA512

      3cbf845d47a476cc2b2b004fd2c8490afd8b1248cdab431674dc18c2be32d5b7d401cc8f4bf04f2e97a5e42f24e953e907c072463533ee97db7e878f0005d740

    Score
    1/10
    • Target

      dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a

    • Size

      8MB

    • MD5

      3c4261d71d948d16d40c36805295a62b

    • SHA1

      0cf36394c41e79b2297c18ebc8fd0d0ee1ffdd9d

    • SHA256

      dffb2eaccbbfd1077d7679ecba62bb75de32259c70e28a84b32750fdfb17e13a

    • SHA512

      b7e6e153a68bb4ee5257e86a9ab7637db161ced3681f306217cb4d4fea2f63cd6eca54c662ca8a6509d94fc44cca0785a528371f95fe83f5442e9c213fe0febb

    Score
    8/10
    • Executes dropped EXE

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1

    • Size

      7MB

    • MD5

      737f4d07b9bb5435fd670f956030d01f

    • SHA1

      f608b036034549486d563a59265c1c3bb9466fe0

    • SHA256

      e247b061c89190fa7fec3ce419b3ed58e088db8a58fa40fc208d3995b149adb1

    • SHA512

      7c2f3a30bbd1f26a555d7ada2ea4e45a8461ea11ac4ec7552fbd85f545afae16cecac21319f9a6df770cdca8f2785162a03bc8cec5fcf0da3e69a540e0900427

    Score
    8/10
    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Deletes itself

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Account Manipulation

1
T1098

Modify Existing Service

3
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

6
T1112

Disabling Security Tools

1
T1089

Install Root Certificate

2
T1130

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

5
T1012

System Information Discovery

2
T1082

Remote System Discovery

3
T1018

Collection

Data from Local System

3
T1005

Command and Control

Web Service

1
T1102

Tasks

static1

pyinstallervmprotectupx
Score
8/10

behavioral1

persistence
Score
9/10

behavioral2

persistence
Score
9/10

behavioral3

Score
8/10

behavioral4

Score
8/10

behavioral5

vmprotect
Score
8/10

behavioral6

evasiontrojanvmprotect
Score
10/10

behavioral7

discoveryspyware
Score
8/10

behavioral8

discoveryspyware
Score
8/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

discoveryspyware
Score
8/10

behavioral12

discoveryspyware
Score
9/10

behavioral13

agentteslaredlinediscoveryinfostealerkeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral14

agentteslaredlinediscoveryinfostealerkeyloggerspywarestealertrojan
Score
10/10

behavioral15

anubisbankerinfostealerobfuscationstealthtrojan
Score
10/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

vmprotect
Score
8/10

behavioral21

vmprotect
Score
8/10

behavioral22

upx
Score
8/10

behavioral23

upx
Score
8/10