General

  • Target

    Trojan-PSW.Win32.Stealer.xuv-b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f.exe

  • Size

    3MB

  • Sample

    220918-wnkttsfean

  • MD5

    6fb798f1090448ce26299c2b35acf876

  • SHA1

    451423d5690cffa02741d5da6e7c45bc08aefb55

  • SHA256

    b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f

  • SHA512

    9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3

  • SSDEEP

    98304:pAdy2TU151ZIpH8YcItGTHF+iSfI77agdayaW/ej:gy5Ls8YcItWFXlWZVy

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

gfhhjgh.duckdns.org:8050

Attributes
delay
3
install
false
install_file
system32.exe
install_folder
%AppData%
aes.plain

Extracted

Family

njrat

Version

im523

Botnet

mediaget

C2

kazya1.hopto.org:1470

Attributes
reg_key
a797c6ca3f5e7aff8fa1149c47fe9466
splitter
|'|'|

Extracted

Family

nanocore

Version

1.2.2.0

C2

172.98.92.42:58491

127.0.0.1:58491

Attributes
activate_away_mode
true
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-09-20T02:48:09.651743436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
58491
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c5a0b6d8-d1f7-45cd-943b-d5fda411e988
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
172.98.92.42
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

redline

Botnet

@zhilsholi

C2

yabynennet.xyz:81

Attributes
auth_value
c2d0b7a2ede97b91495c99e75b4f27fb

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

5781468cedb3a203003fdf1f12e72fe98d6f1c0f

Attributes
url4cnc
http://194.180.174.53/brikitiki
http://91.219.236.18/brikitiki
http://194.180.174.41/brikitiki
http://91.219.236.148/brikitiki
https://t.me/brikitiki
rc4.plain
rc4.plain

Extracted

Family

oski

C2

prepepe.ac.ug

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

pony

C2

http://londonpaerl.co.uk/yesup/gate.php

Targets

    • Target

      Trojan-PSW.Win32.Stealer.xuv-b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f.exe

    • Size

      3MB

    • MD5

      6fb798f1090448ce26299c2b35acf876

    • SHA1

      451423d5690cffa02741d5da6e7c45bc08aefb55

    • SHA256

      b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f

    • SHA512

      9cc2421a2f3ab01d15be62a848947b03f1a8212cfd923573cf70f8c10bd8d124aee3b251828834236af291ea12450ac2580a712e53a022ce11b4d71b0357d8c3

    • SSDEEP

      98304:pAdy2TU151ZIpH8YcItGTHF+iSfI77agdayaW/ej:gy5Ls8YcItWFXlWZVy

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • UAC bypass

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Async RAT payload

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Modifies Windows Firewall

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks