Overview

overview

10

Static

static

excludes.exe

windows7_x64

10

excludes.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    excludes.dat

  • Size

    187KB

  • Sample

    220522-f3rb6affh9

  • MD5

    5ca95841b2979a96453361358f6d860d

  • SHA1

    4088c98c806596008b62cd17d59e8c9a01291f1a

  • SHA256

    fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2

  • SHA512

    d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1

Score
10/10
evasionpersistencesuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://185.26.113.95:8095/batpower2.txt

Targets

    • Target

      excludes.dat

    • Size

      187KB

    • MD5

      5ca95841b2979a96453361358f6d860d

    • SHA1

      4088c98c806596008b62cd17d59e8c9a01291f1a

    • SHA256

      fe7cc5a2579668cb6afd239dc181c404ef602d72605fe46361e31cecb17187a2

    • SHA512

      d1d7cd8463e4fec463173045fcdbcfd0db85e0af62faad0fea96098341c977279fddb6a6eecf40d1a94b4dd094eba1311caf98443422a89c8b68f76eec7bc8d1

    Score
    10/10
    evasionpersistencesuricata

    • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

      suricata

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Sets file execution options in registry

      persistence

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

2
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Impair Defenses

1
T1562

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks