chinese_generic_botnet | a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a

General

Target

a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe
Size

3.5MB
MD5

9c2be565965857100e3aa9ae6aaf4dd3
SHA1

983b916aca832e67dbb7e04a705646ca92ce92ee
SHA256

a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a
SHA512

3384c625822c0d338c76f3fc01de42468fd1a4eb85e39769e309040caebd5214f3eabcbbc156d074ce2284dc33412572f43e7db9bcb1c911789268e4e6ba33eb

Score

10^/10

chinese_generic_botnet botnet evasion persistence trojan upx

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a000000022e2c-133.dat	acprotect
behavioral2/files/0x000a000000022e2c-134.dat	acprotect

Chinese Botnet Payload 2 IoCs

botnet

resource	yara_rule
behavioral2/memory/4304-142-0x0000000000400000-0x0000000000957000-memory.dmp	unk_chinese_botnet
behavioral2/memory/4304-143-0x0000000010000000-0x0000000010017000-memory.dmp	unk_chinese_botnet

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Executes dropped EXE 3 IoCs

pid	Process
4652	ÏµÍ³°²È«²¹¶¡.exe
4304	lsass.exe
4588	lsass.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022e2c-133.dat	upx
behavioral2/files/0x000a000000022e2c-134.dat	upx

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lsass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lsass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	lsass.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	lsass.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine	lsass.exe
Key opened	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Wine	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
4652	ÏµÍ³°²È«²¹¶¡.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ÏµÍ³°²È«²¹¶¡.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360°²È«ºËÐÄ·þÎñ = "C:\\Users\\Public\\ÏµÍ³°²È«²¹¶¡.exe"	ÏµÍ³°²È«²¹¶¡.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe
4304	lsass.exe
4588	lsass.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe
4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe
4304	lsass.exe
4304	lsass.exe
4588	lsass.exe
4588	lsass.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe
4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe
4304	lsass.exe
4588	lsass.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4084 wrote to memory of 4652	4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe	81
PID 4084 wrote to memory of 4652	4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe	81
PID 4084 wrote to memory of 4652	4084	a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe	81
PID 4652 wrote to memory of 4304	4652	ÏµÍ³°²È«²¹¶¡.exe	83
PID 4652 wrote to memory of 4304	4652	ÏµÍ³°²È«²¹¶¡.exe	83
PID 4652 wrote to memory of 4304	4652	ÏµÍ³°²È«²¹¶¡.exe	83
PID 4652 wrote to memory of 4588	4652	ÏµÍ³°²È«²¹¶¡.exe	85
PID 4652 wrote to memory of 4588	4652	ÏµÍ³°²È«²¹¶¡.exe	85
PID 4652 wrote to memory of 4588	4652	ÏµÍ³°²È«²¹¶¡.exe	85

C:\Users\Admin\AppData\Local\Temp\a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe
"C:\Users\Admin\AppData\Local\Temp\a59f6414b9d01c85e750fec09c8986d1f3a729bd936ea41639faa4c3d516565a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4084
- C:\Users\Public\ÏµÍ³°²È«²¹¶¡.exe
  C:\Users\Public\ÏµÍ³°²È«²¹¶¡.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4304
- - C:\Users\Public\lsass.exe
    C:\Users\Public\lsass.exe
    3⤵
    - Executes dropped EXE
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ExceptCatch.dll

Filesize
2.0MB

MD5
f96bc70c42b957a9b3a4cf597763e68c

SHA1
55d450a0711943e76983c89c125263d18dbe7599

SHA256
db28d4caee3e77eaf246e72b1829118adcf9ad62727dbe680bafcc7629610cdd

SHA512
f27be1c9ae6726f97497f7b8db84bb61a0c1270d8c0b3b01a07d661362d53c0414e817ebd2e15a37a25b9591f701038c372e85b82e09f3ceb78ffd1306808c53

Download Submit
C:\Users\Public\ExceptCatch.dll

Filesize
2.0MB

MD5
f96bc70c42b957a9b3a4cf597763e68c

SHA1
55d450a0711943e76983c89c125263d18dbe7599

SHA256
db28d4caee3e77eaf246e72b1829118adcf9ad62727dbe680bafcc7629610cdd

SHA512
f27be1c9ae6726f97497f7b8db84bb61a0c1270d8c0b3b01a07d661362d53c0414e817ebd2e15a37a25b9591f701038c372e85b82e09f3ceb78ffd1306808c53

Download Submit
C:\Users\Public\lsass.exe

Filesize
2.0MB

MD5
fc8a0874e9e7fdb9df4437227a6e4558

SHA1
c1845e499a9e047984961410784f46a14baf4267

SHA256
06b48d99f3fe80d550d943cf67099788dc3f9ce712b2d5e4ff61b805203ac826

SHA512
9955e642ad40799b41bd9289a5d6540abea230ead70d2d9e90455633bab512bc3d3537e72f0452c602f0597f69a35a482cf077cffa1c63b6665f7b69530d72de

Download Submit
C:\Users\Public\lsass.exe

Filesize
2.0MB

MD5
fc8a0874e9e7fdb9df4437227a6e4558

SHA1
c1845e499a9e047984961410784f46a14baf4267

SHA256
06b48d99f3fe80d550d943cf67099788dc3f9ce712b2d5e4ff61b805203ac826

SHA512
9955e642ad40799b41bd9289a5d6540abea230ead70d2d9e90455633bab512bc3d3537e72f0452c602f0597f69a35a482cf077cffa1c63b6665f7b69530d72de

Download Submit
C:\Users\Public\lsass.exe

Filesize
2.0MB

MD5
fc8a0874e9e7fdb9df4437227a6e4558

SHA1
c1845e499a9e047984961410784f46a14baf4267

SHA256
06b48d99f3fe80d550d943cf67099788dc3f9ce712b2d5e4ff61b805203ac826

SHA512
9955e642ad40799b41bd9289a5d6540abea230ead70d2d9e90455633bab512bc3d3537e72f0452c602f0597f69a35a482cf077cffa1c63b6665f7b69530d72de

Download Submit
C:\Users\Public\ÏµÍ³°²È«²¹¶¡.exe

Filesize
69KB

MD5
3d924b86f8dc8215ea1dcda84c218ad7

SHA1
bff3baea1ea9f1eef642773382d6e8945fa5bf8c

SHA256
a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

SHA512
bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

Download Submit
C:\Users\Public\ÏµÍ³°²È«²¹¶¡.exe

Filesize
69KB

MD5
3d924b86f8dc8215ea1dcda84c218ad7

SHA1
bff3baea1ea9f1eef642773382d6e8945fa5bf8c

SHA256
a429ee865286dc2be99cb61ac2ed8f29c148aabd7f77943e65114744bc4df98b

SHA512
bab02ad0a21b44692bf60db8600872290274b44212febae90c6cf99e09a30c516493253da52b3d80b4fe805100e90fde953b8674c4c8e11911e187dd12dbc7ff

Download Submit
memory/4084-138-0x0000000000400000-0x00000000007FD000-memory.dmp

Filesize
4.0MB

Download
memory/4304-141-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/4304-142-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download
memory/4304-143-0x0000000010000000-0x0000000010017000-memory.dmp

Filesize
92KB

Download
memory/4588-144-0x0000000077760000-0x0000000077903000-memory.dmp

Filesize
1.6MB

Download
memory/4588-147-0x0000000000400000-0x0000000000957000-memory.dmp

Filesize
5.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads