Overview
overview
10Static
static
1078769e4085...7e.zip
windows7_x64
178769e4085...7e.zip
windows10-2004_x64
malware-an...er.pdf
windows7_x64
1malware-an...er.pdf
windows10-2004_x64
1malware-an...is.pdf
windows7_x64
1malware-an...is.pdf
windows10-2004_x64
1malware-an...ypt.py
linux_amd64
malware-an...ypt.py
linux_armhf
malware-an...ypt.py
linux_mips
malware-an...ypt.py
linux_mipsel
malware-an...ons.py
windows7_x64
3malware-an...ons.py
windows10-2004_x64
3malware-an...is.pdf
windows7_x64
1malware-an...is.pdf
windows10-2004_x64
malware-an...tt.ps1
windows7_x64
10malware-an...tt.ps1
windows10-2004_x64
8malware-an...tt.vbs
windows7_x64
malware-an...tt.vbs
windows10-2004_x64
7malware-an...er.ps1
windows7_x64
1malware-an...er.ps1
windows10-2004_x64
malware-an...od.ps1
windows7_x64
malware-an...od.ps1
windows10-2004_x64
10malware-an...44.exe
windows7_x64
10malware-an...44.exe
windows10-2004_x64
malware-an...55.dll
windows7_x64
1malware-an...55.dll
windows10-2004_x64
malware-an...xes.py
linux_amd64
malware-an...xes.py
linux_armhf
malware-an...xes.py
linux_mips
malware-an...xes.py
linux_mipsel
malware-an...dra.py
windows7_x64
malware-an...dra.py
windows10-2004_x64
3Static task
static1
Behavioral task
behavioral1
Sample
78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e.zip
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e.zip
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
malware-analysis-writeups-master/agent-tesla-loader/agentTeslaLoader.pdf
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
malware-analysis-writeups-master/agent-tesla-loader/agentTeslaLoader.pdf
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
malware-analysis-writeups-master/ava-maria-rat/AvaMariaAnalysis.pdf
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
malware-analysis-writeups-master/ava-maria-rat/AvaMariaAnalysis.pdf
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerBeaconDecrypt.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral8
Sample
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerBeaconDecrypt.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral9
Sample
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerBeaconDecrypt.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral10
Sample
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerBeaconDecrypt.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral11
Sample
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerCatchBeacons.py
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerCatchBeacons.py
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
malware-analysis-writeups-master/bashar-bachir-chain/bashar-bachir-analysis.pdf
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
malware-analysis-writeups-master/bashar-bachir-chain/bashar-bachir-analysis.pdf
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.ps1
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.vbs
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.vbs
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/downloader.ps1
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/downloader.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral21
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/nod.ps1
Resource
win7-20220414-en
Behavioral task
behavioral22
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/nod.ps1
Resource
win10v2004-20220414-en
Behavioral task
behavioral23
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli444.exe
Resource
win7-20220414-en
Behavioral task
behavioral24
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli444.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral25
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli555.dll
Resource
win7-20220414-en
Behavioral task
behavioral26
Sample
malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli555.dll
Resource
win10v2004-20220414-en
Behavioral task
behavioral27
Sample
malware-analysis-writeups-master/bashar-bachir-chain/helperScripts/extractNodExes.py
Resource
ubuntu1804-amd64-en-20211208
Behavioral task
behavioral28
Sample
malware-analysis-writeups-master/bashar-bachir-chain/helperScripts/extractNodExes.py
Resource
debian9-armhf-en-20211208
Behavioral task
behavioral29
Sample
malware-analysis-writeups-master/bashar-bachir-chain/helperScripts/extractNodExes.py
Resource
debian9-mipsbe-en-20211208
Behavioral task
behavioral30
Sample
malware-analysis-writeups-master/bashar-bachir-chain/helperScripts/extractNodExes.py
Resource
debian9-mipsel-en-20211208
Behavioral task
behavioral31
Sample
malware-analysis-writeups-master/razy-variant/razyVariantDecryptStackStrings_ghidra.py
Resource
win7-20220414-en
Behavioral task
behavioral32
Sample
malware-analysis-writeups-master/razy-variant/razyVariantDecryptStackStrings_ghidra.py
Resource
win10v2004-20220414-en
General
-
Target
78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e
-
Size
4.2MB
-
MD5
154370225f6d203912178dffa4fc473c
-
SHA1
2525de74d4d439f33e65fdace52e498187e049ed
-
SHA256
78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e
-
SHA512
cc29d21d0b2c3a22dd8b16ecbcb8619526dc82c6e97ccc61261183ec1f8423a0784a192782cf1fb5cd24c1df2f64e2db5fa3b73935f7f5bbc60e23acdc4fad7e
-
SSDEEP
98304:v6CqCCzcj+Lvy9BeEOUFypsZK2+0CqBp9bgX:K1zqkWBeEOtpsZ/VCqBp9c
Malware Config
Extracted
https://pastebin.com/raw/Qkwjgmp3
Extracted
https://gist.githubusercontent.com/raigabrielmaia/8ae7b2b263c365744052d344d8b57d7b/raw/58ba6d37349921d43d226b108205458440885d46/Nod.mp3
https://gist.githubusercontent.com/raigabrielmaia/8ae7b2b263c365744052d344d8b57d7b/raw/58ba6d37349921d43d226b108205458440885d46/avast.mp3
https://gist.githubusercontent.com/raigabrielmaia/8ae7b2b263c365744052d344d8b57d7b/raw/58ba6d37349921d43d226b108205458440885d46/avastt.mp3
Extracted
metasploit
windows/download_exec
http://certificates.updatecenter.icu:443/v11/5/windowsupdate/redir/v6-win86-wuredir.cab?id=14425600235201
Signatures
-
Metasploit family
-
Njrat family
-
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule static1/unpack001/malware-analysis-writeups-master/agent-tesla-loader/agentTeslaLoader.pdf pdf_with_link_action
Files
-
78769e4085312f21cc67e77bfdd136f9a30d34e2d2a5d8870f2ebbeb7c3a8f7e.zip .ps1
-
malware-analysis-writeups-master/README.md
-
malware-analysis-writeups-master/agent-tesla-loader/agentTeslaLoader.pdf.pdf
-
https://twitter.com/kindredsec
-
https://discord.gg/CCZCJCu
-
-
malware-analysis-writeups-master/ava-maria-rat/AvaMariaAnalysis.pdf.pdf
-
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerBeaconDecrypt.py.py .sh linux
-
malware-analysis-writeups-master/ava-maria-rat/helperScripts/buerCatchBeacons.py
-
malware-analysis-writeups-master/bashar-bachir-chain/bashar-bachir-analysis.pdf.pdf
-
https://twitter.com/kindredsec
-
https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/helperScripts/extractNodExes.py
-
https://www.virustotal.com/gui/file/dda9f301fefb543235cd29166dd7bf306e2d52fa6126c887f12c1f4a2c8a3fb0/detection
-
https://github.com/yck1509/ConfuserEx
-
https://docs.microsoft.com/en-us/dotnet/api/system.reflection.assembly.createinstance?view=netframework-4.8
-
https://www.youtube.com/watch?v=OqhGU1s6kVk
-
https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/downloader.ps1
-
https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/nod.ps1
-
https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/avastt.ps1
-
https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/avastt.vbs
-
https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/nod_Cli444.exe
-
https://github.com/itsKindred/malware-analysis-writeups/tree/master/bashar-bachir-chain/files/nod_Cli555.exe
- Show all
-
-
malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.ps1.ps1
-
malware-analysis-writeups-master/bashar-bachir-chain/files/avastt.vbs.vbs
-
malware-analysis-writeups-master/bashar-bachir-chain/files/downloader.ps1.ps1
-
malware-analysis-writeups-master/bashar-bachir-chain/files/nod.ps1.ps1
-
malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli444.exe.exe windows x86
f34d5f2d4577ed6d9ceec516c1f5a744
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorExeMain
Sections
.text Size: 23KB - Virtual size: 22KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1KB - Virtual size: 1KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
malware-analysis-writeups-master/bashar-bachir-chain/files/nod_Cli555.dll.dll windows x86
dae02f32a21e03ce65412f6e56942daa
Headers
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE
Imports
mscoree
_CorDllMain
Sections
.text Size: 56KB - Virtual size: 55KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rsrc Size: 1024B - Virtual size: 992B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.reloc Size: 512B - Virtual size: 12B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
malware-analysis-writeups-master/bashar-bachir-chain/helperScripts/extractNodExes.py.py .sh linux
-
malware-analysis-writeups-master/razy-variant/README.md
-
malware-analysis-writeups-master/razy-variant/razyVariantDecryptStackStrings_ghidra.py
-
malware-analysis-writeups-master/swrort-dropper/files/dropper.exe.exe windows x86
87bed5a7cba00c7e1f4015f1bdae2183
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
Imports
kernel32
LoadLibraryA
GetProcAddress
Sections
.text Size: 4KB - Virtual size: 4KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
DATA Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.idata Size: 512B - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
-
malware-analysis-writeups-master/swrort-dropper/files/stage1.bat.bat .ps1
-
malware-analysis-writeups-master/swrort-dropper/files/stage2.ps1.ps1
-
malware-analysis-writeups-master/swrort-dropper/files/v6-win86-wuredir.cab.cab
-
malware-analysis-writeups-master/swrort-dropper/swrort-stager-analysis.pdf.pdf