General

  • Target

    084a9940f85047be896b1bb1769bd667cef30d15920d61bfc0728d8d87b839df.bin

  • Size

    534KB

  • Sample

    210225-d3n66dc926

  • MD5

    cd23ce6c110005107495869d929afc33

  • SHA1

    07586d2d9420c74a7339293ea56c54d12760f292

  • SHA256

    084a9940f85047be896b1bb1769bd667cef30d15920d61bfc0728d8d87b839df

  • SHA512

    cdac414d720f8e7dd45cc30cd24b9eef91660ac673bc8a6ee120a37d71c23e2fbb4d8043af8f7be854702472ac5d3d955f6c40bd23363511ffd3064f8aecb482

Malware Config

Targets

    • Target

      084a9940f85047be896b1bb1769bd667cef30d15920d61bfc0728d8d87b839df.bin

    • Size

      534KB

    • MD5

      cd23ce6c110005107495869d929afc33

    • SHA1

      07586d2d9420c74a7339293ea56c54d12760f292

    • SHA256

      084a9940f85047be896b1bb1769bd667cef30d15920d61bfc0728d8d87b839df

    • SHA512

      cdac414d720f8e7dd45cc30cd24b9eef91660ac673bc8a6ee120a37d71c23e2fbb4d8043af8f7be854702472ac5d3d955f6c40bd23363511ffd3064f8aecb482

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • VenomRAT

      VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Disabling Security Tools

2
T1089

Install Root Certificate

1
T1130

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Tasks