Overview

overview

10

Static

static

7

Brute.exe

windows7_x64

10

Brute.exe

windows10_x64

10

Brute.exe

windows10-2004_x64

10

Leaf.xNet.dll

windows7_x64

1

Leaf.xNet.dll

windows10_x64

6

Leaf.xNet.dll

windows10-2004_x64

10

Newtonsoft.Json.dll

windows7_x64

1

Newtonsoft.Json.dll

windows10_x64

6

Newtonsoft.Json.dll

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Brute_Paypal.rar

  • Size

    3.8MB

  • Sample

    220211-jvpedaeadr

  • MD5

    589617b0d2003a64e96b5b97bbe3d6aa

  • SHA1

    a25351038ce19bcc9c69f4f21307121a4bea17ec

  • SHA256

    74bec14e77146923dae84d4aeb0ca036182b967f4ee69818c972d1c19906eede

  • SHA512

    da52a70d61e861afe7979e8cb615e7da8ef5072a88b74f047544eb9423aa308620bce4b57abdbc16e658fece05b77fbd80d056c54f1f307c864ea4a55be86f6c

Score
10/10
evasionpersistencesuricatathemidatrojan

Malware Config

Targets

    • Target

      Brute.exe

    • Size

      3.6MB

    • MD5

      a96e9cb0519ef7a3ab1fa9c1f52e8cbd

    • SHA1

      5e2169ceaf3e28289bc6c5ec4ac1b469d17f5ba8

    • SHA256

      c2e3de80d6a602cd08cba211d41af12236fb7faa63ed046eff261bdc4408e63c

    • SHA512

      d333cf02075e1f23b54edc0e44112df1fc71519f2b2a3dfad2d27b253e90c80dc265a1e6f2f340fb76395e00307e7bd12f563faeae589331d73918de8c26cde1

    Score
    10/10
    evasionpersistencesuricatathemidatrojan

    • Registers COM server for autorun

      persistence

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets file execution options in registry

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2behavioral3

    • Target

      Leaf.xNet.dll

    • Size

      129KB

    • MD5

      ea87f37e78fb9af4bf805f6e958f68f4

    • SHA1

      89662fed195d7b9d65ab7ba8605a3cd953f2b06a

    • SHA256

      de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa

    • SHA512

      c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a

    Score
    10/10
    evasiontrojanpersistence

    • Registers COM server for autorun

      persistence

    • Executes dropped EXE

    • Sets file execution options in registry

      persistence

    • Loads dropped DLL

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral4behavioral5behavioral6

    • Target

      Newtonsoft.Json.dll

    • Size

      685KB

    • MD5

      081d9558bbb7adce142da153b2d5577a

    • SHA1

      7d0ad03fbda1c24f883116b940717e596073ae96

    • SHA256

      b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3

    • SHA512

      2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511

    Score
    10/10
    evasiontrojanpersistence

    • Registers COM server for autorun

      persistence

    • Executes dropped EXE

    • Sets file execution options in registry

      persistence

    • Loads dropped DLL

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral7behavioral8behavioral9

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

7
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

7
T1112

Credential Access

Discovery

Query Registry

10
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

13
T1082

Peripheral Device Discovery

3
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks