Resubmissions

25-10-2022 19:39

221025-ydf41adfa8 5

24-10-2022 20:28

221024-y84hsaade9 10

General

  • Target

    Downloads.exe

  • Size

    20MB

  • Sample

    221024-y84hsaade9

  • MD5

    1f8d2846109b9b9fdadb28ba1492dbff

  • SHA1

    6a89d407a8cbe41392fe8771c9b4ab01e479bd2d

  • SHA256

    39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148

  • SHA512

    33a5dd606f2f4c1513189560989a3c61cbd47b2a282e7d32798e548f4d53a421075d23a416ce443fb91121c24b79c6132bd652e069cdf063f9f2480e2bb5b452

  • SSDEEP

    393216:NCaD/8a2qhzNvMnSVtxr6lTyuF0WOifSRrd1cFKe9CX5QqiMikP537aXmb0r:4aDkalhpZ0lVHSzevqeMvbU

Malware Config

Extracted

Path

C:\Program Files\OpenVPN\doc\openvpn.8.html

Ransom Note
<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" /> <title>openvpn</title> <style type="text/css"> /* :Author: David Goodger (goodger@python.org) :Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $ :Copyright: This stylesheet has been placed in the public domain. Default cascading style sheet for the HTML output of Docutils. See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to customize this style sheet. */ /* used to remove borders from tables and images */ .borderless, table.borderless td, table.borderless th { border: 0 } table.borderless td, table.borderless th { /* Override padding for "table.docutils td" with "! important". The right padding separates the table cells. */ padding: 0 0.5em 0 0 ! important } .first { /* Override more specific margin styles with "! important". */ margin-top: 0 ! important } .last, .with-subtitle { margin-bottom: 0 ! important } .hidden { display: none } .subscript { vertical-align: sub; font-size: smaller } .superscript { vertical-align: super; font-size: smaller } a.toc-backref { text-decoration: none ; color: black } blockquote.epigraph { margin: 2em 5em ; } dl.docutils dd { margin-bottom: 0.5em } object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] { overflow: hidden; } /* Uncomment (and remove this text!) to get bold-faced definition list terms dl.docutils dt { font-weight: bold } */ div.abstract { margin: 2em 5em } div.abstract p.topic-title { font-weight: bold ; text-align: center } div.admonition, div.attention, div.caution, div.danger, div.error, div.hint, div.important, div.note, div.tip, div.warning { margin: 2em ; border: medium outset ; padding: 1em } div.admonition p.admonition-title, div.hint p.admonition-title, div.important p.admonition-title, div.note p.admonition-title, div.tip p.admonition-title { font-weight: bold ; font-family: sans-serif } div.attention p.admonition-title, div.caution p.admonition-title, div.danger p.admonition-title, div.error p.admonition-title, div.warning p.admonition-title, .code .error { color: red ; font-weight: bold ; font-family: sans-serif } /* Uncomment (and remove this text!) to get reduced vertical space in compound paragraphs. div.compound .compound-first, div.compound .compound-middle { margin-bottom: 0.5em } div.compound .compound-last, div.compound .compound-middle { margin-top: 0.5em } */ div.dedication { margin: 2em 5em ; text-align: center ; font-style: italic } div.dedication p.topic-title { font-weight: bold ; font-style: normal } div.figure { margin-left: 2em ; margin-right: 2em } div.footer, div.header { clear: both; font-size: smaller } div.line-block { display: block ; margin-top: 1em ; margin-bottom: 1em } div.line-block div.line-block { margin-top: 0 ; margin-bottom: 0 ; margin-left: 1.5em } div.sidebar { margin: 0 0 0.5em 1em ; border: medium outset ; padding: 1em ; background-color: #ffffee ; width: 40% ; float: right ; clear: right } div.sidebar p.rubric { font-family: sans-serif ; font-size: medium } div.system-messages { margin: 5em } div.system-messages h1 { color: red } div.system-message { border: medium outset ; padding: 1em } div.system-message p.system-message-title { color: red ; font-weight: bold } div.topic { margin: 2em } h1.section-subtitle, h2.section-subtitle, h3.section-subtitle, h4.section-subtitle, h5.section-subtitle, h6.section-subtitle { margin-top: 0.4em } h1.title { text-align: center } h2.subtitle { text-align: center } hr.docutils { width: 75% } img.align-left, .figure.align-left, object.align-left, table.align-left { clear: left ; float: left ; margin-right: 1em } img.align-right, .figure.align-right, object.align-right, table.align-right { clear: right ; float: right ; margin-left: 1em } img.align-center, .figure.align-center, object.align-center { display: block; margin-left: auto; margin-right: auto; } table.align-center { margin-left: auto; margin-right: auto; } .align-left { text-align: left } .align-center { clear: both ; text-align: center } .align-right { text-align: right } /* reset inner alignment in figures */ div.align-right { text-align: inherit } /* div.align-center * { */ /* text-align: left } */ .align-top { vertical-align: top } .align-middle { vertical-align: middle } .align-bottom { vertical-align: bottom } ol.simple, ul.simple { margin-bottom: 1em } ol.arabic { list-style: decimal } ol.loweralpha { list-style: lower-alpha } ol.upperalpha { list-style: upper-alpha } ol.lowerroman { list-style: lower-roman } ol.upperroman { list-style: upper-roman } p.attribution { text-align: right ; margin-left: 50% } p.caption { font-style: italic } p.credits { font-style: italic ; font-size: smaller } p.label { white-space: nowrap } p.rubric { font-weight: bold ; font-size: larger ; color: maroon ; text-align: center } p.sidebar-title { font-family: sans-serif ; font-weight: bold ; font-size: larger } p.sidebar-subtitle { font-family: sans-serif ; font-weight: bold } p.topic-title { font-weight: bold } pre.address { margin-bottom: 0 ; margin-top: 0 ; font: inherit } pre.literal-block, pre.doctest-block, pre.math, pre.code { margin-left: 2em ; margin-right: 2em } pre.code .ln { color: grey; } /* line numbers */ pre.code, code { background-color: #eeeeee } pre.code .comment, code .comment { color: #5C6576 } pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold } pre.code .literal.string, code .literal.string { color: #0C5404 } pre.code .name.builtin, code .name.builtin { color: #352B84 } pre.code .deleted, code .deleted { background-color: #DEB0A1} pre.code .inserted, code .inserted { background-color: #A3D289} span.classifier { font-family: sans-serif ; font-style: oblique } span.classifier-delimiter { font-family: sans-serif ; font-weight: bold } span.interpreted { font-family: sans-serif } span.option { white-space: nowrap } span.pre { white-space: pre } span.problematic { color: red } span.section-subtitle { /* font-size relative to parent (h1..h6 element) */ font-size: 80% } table.citation { border-left: solid 1px gray; margin-left: 1px } table.docinfo { margin: 2em 4em } table.docutils { margin-top: 0.5em ; margin-bottom: 0.5em } table.footnote { border-left: solid 1px black; margin-left: 1px } table.docutils td, table.docutils th, table.docinfo td, table.docinfo th { padding-left: 0.5em ; padding-right: 0.5em ; vertical-align: top } table.docutils th.field-name, table.docinfo th.docinfo-name { font-weight: bold ; text-align: left ; white-space: nowrap ; padding-left: 0 } /* "booktabs" style (no vertical lines) */ table.docutils.booktabs { border: 0px; border-top: 2px solid; border-bottom: 2px solid; border-collapse: collapse; } table.docutils.booktabs * { border: 0px; } table.docutils.booktabs th { border-bottom: thin solid; text-align: left; } h1 tt.docutils, h2 tt.docutils, h3 tt.docutils, h4 tt.docutils, h5 tt.docutils, h6 tt.docutils { font-size: 100% } ul.auto-toc { list-style-type: none } </style> </head> <body> <div class="document" id="openvpn"> <h1 class="title">openvpn</h1> <h2 class="subtitle" id="secure-ip-tunnel-daemon">Secure IP tunnel daemon</h2> <table class="docinfo" frame="void" rules="none"> <col class="docinfo-name" /> <col class="docinfo-content" /> <tbody valign="top"> <tr class="manual-section field"><th class="docinfo-name">Manual section:</th><td class="field-body">8</td> </tr> <tr class="manual-group field"><th class="docinfo-name">Manual group:</th><td class="field-body">System Manager's Manual</td> </tr> </tbody> </table> <div class="section" id="synopsis"> <h1>SYNOPSIS</h1> <div class="line-block"> <div class="line"><tt class="docutils literal">openvpn</tt> [ options ... ]</div> <div class="line"><tt class="docutils literal">openvpn</tt> <tt class="docutils literal"><span class="pre">--help</span></tt></div> </div> </div> <div class="section" id="introduction"> <h1>INTRODUCTION</h1> <p>OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN tries to be a universal VPN tool offering a great deal of flexibility, there are a lot of options on this manual page. If you're new to OpenVPN, you might want to skip ahead to the examples section where you will see how to construct simple VPNs on the command line without even needing a configuration file.</p> <p>Also note that there's more documentation and examples on the OpenVPN web site: <a class="reference external" href="https://openvpn.net/">https://openvpn.net/</a></p> <p>And if you would like to see a shorter version of this manual, see the openvpn usage message which can be obtained by running <strong>openvpn</strong> without any parameters.</p> </div> <div class="section" id="description"> <h1>DESCRIPTION</h1> <p>OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through proxies or NAT, support for dynamic IP addresses and DHCP, scalability to hundreds or thousands of users, and portability to most major OS platforms.</p> <p>OpenVPN is tightly bound to the OpenSSL library, and derives much of its crypto capabilities from it.</p> <p>OpenVPN supports conventional encryption using a pre-shared secret key <strong>(Static Key mode)</strong> or public key security <strong>(SSL/TLS mode)</strong> using client &amp; server certificates. OpenVPN also supports non-encrypted TCP/UDP tunnels.</p> <p>OpenVPN is designed to work with the <strong>TUN/TAP</strong> virtual networking interface that exists on most platforms.</p> <p>Overall, OpenVPN aims to offer many of the key features of IPSec but with a relatively lightweight footprint.</p> </div> <div class="section" id="options"> <h1>OPTIONS</h1> <p>OpenVPN allows any option to be placed either on the command line or in a configuration file. Though all command line options are preceded by a double-leading-dash (&quot;--&quot;), this prefix can be removed when an option is placed in a configuration file.</p> <div class="section" id="generic-options"> <h2>Generic Options</h2> <p>This section covers generic options which are accessible regardless of which mode OpenVPN is configured as.</p> <table class="docutils option-list" frame="void" rules="none"> <col class="option" /> <col class="description" /> <tbody valign="top"> <tr><td class="option-group"> <kbd><span class="option">--help</span></kbd></td> <td>Show options.</td></tr> <tr><td class="option-group"> <kbd><span class="option">--auth-nocache</span></kbd></td> <td><p class="first">Don't cache <tt class="docutils literal"><span class="pre">--askpass</span></tt> or <tt class="docutils literal"><span class="pre">--auth-user-pass</span></tt> username/passwords in virtual memory.</p> <p>If specified, this directive will cause OpenVPN to immediately forget username/password inputs after they are used. As a result, when OpenVPN needs a username/password, it will prompt for input from stdin, which may be multiple times during the duration of an OpenVPN session.</p> <p>When using <tt class="docutils literal"><span class="pre">--auth-nocache</span></tt> in combination with a user/password file and <tt class="docutils literal"><span class="pre">--chroot</span></tt> or <tt class="docutils literal"><span class="pre">--daemon</span></tt>, make sure to use an absolute path.</p> <p class="last">This directive does not affect the <tt class="docutils literal"><span class="pre">--http-proxy</span></tt> username/password. It is always cached.</p> </td></tr> <tr><td class="option-group"> <kbd><span class="option">--cd <var>dir</var></span></kbd></td> <td><p class="first">Change directory to <tt class="docutils literal">dir</tt> prior to reading any files such as configuration files, key files, scripts, etc. <tt class="docutils literal">dir</tt> should be an absolute path, with a leading &quot;/&quot;, and without any references to the current directory such as <code>.</code> or <code>..</code>.</p> <p class="last">This option is useful when you are running OpenVPN in <tt class="docutils literal"><span class="pre">--daemon</span></tt> mode, and you want to consolidate all of your OpenVPN control files in one location.</p> </td></tr> <tr><td class="option-group"> <kbd><span class="option">--chroot <var>dir</var></span></kbd></td> <td><p class="first">Chroot to <tt class="docutils literal">dir</tt> after initialization. <tt class="docutils literal"><span class="pre">--chroot</span></tt> essentially redefines <tt class="docutils literal">dir</tt> as being the top level directory tree (/). OpenVPN will therefore be unable to access any files outside this tree. This can be desirable from a security standpoint.</p> <p>Since the chroot operation is delayed until after initialization, most OpenVPN options that reference files will operate in a pre-chroot context.</p> <p>In many cases, the <tt class="docutils literal">dir</tt> parameter can point to an empty directory, however complications can result when scripts or restarts are executed after the chroot operation.</p> <p class="last">Note: The SSL library will probably need /dev/urandom to be available inside the chroot directory <tt class="docutils literal">dir</tt>. This is because SSL libraries occasionally need to collect fresh random. Newer linux kernels and some BSDs implement a getrandom() or getentropy() syscall that removes the need for /dev/urandom to be available.</p> </td></tr> <tr><td class="option-group"> <kbd><span class="option">--config <var>file</var></span></kbd></td> <td><p class="first">Load additional config options from <tt class="docutils literal">file</tt> where each line corresponds to one command line option, but with the leading '--' removed.</p> <p>If <tt class="docutils literal"><span class="pre">--config</span> file</tt> is the only option to the openvpn command, the <tt class="docutils literal"><span class="pre">--config</span></tt> can be removed, and the command can be given as <tt class="docutils literal">openvpn file</tt></p> <p>Note that configuration files can be nested to a reasonable depth.</p> <p>Double quotation or single quotation characters (&quot;&quot;, '') can be used to enclose single parameters containing whitespace, and &quot;#&quot; or &quot;;&quot; characters in the first column can be used to denote comments.</p> <p>Note that OpenVPN 2.0 and higher performs backslash-based shell escaping for characters not in single quotations, so the following mappings should be observed:</p> <pre class="literal-block"> \\ Maps to a single backslash character (\). \&quot; Pass a literal doublequote character (&quot;), don't interpret it as enclosing a parameter. \[SPACE] Pass a literal space or tab character, don't interpret it as a parameter delimiter. </pre> <p>For example on Windows, use double backslashes to represent pathnames:</p> <pre class="literal-block"> secret &quot;c:\\OpenVPN\\secret.key&quot; </pre> <p>For examples of configuration files, see <a class="reference external" href="https://openvpn.net/community-resources/how-to/">https://openvpn.net/community-resources/how-to/</a></p> <p>Here is an example configuration file:</p> <pre class="last literal-block"> # # Sample OpenVPN configuration file for
Emails

goodger@python.org

URLs

http-equiv="Content-Type"

http://docutils.sourceforge.net/"

http://docutils.sf.net/docs/howto/html-stylesheets.html

http-proxy

http-proxy-option

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    files.000webhost.com
  • Port:
    21
  • Username:
    fcb-aws-host-4

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

gfhhjgh.duckdns.org:8050

Attributes
  • delay

    3

  • install

    false

  • install_file

    system32.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

fickerstealer

C2

80.87.192.115:80

Extracted

Family

oski

C2

prepepe.ac.ug

Extracted

Family

redline

Botnet

@zhilsholi

C2

yabynennet.xyz:81

Attributes
  • auth_value

    c2d0b7a2ede97b91495c99e75b4f27fb

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

5781468cedb3a203003fdf1f12e72fe98d6f1c0f

Attributes
  • url4cnc

    http://194.180.174.53/brikitiki

    http://91.219.236.18/brikitiki

    http://194.180.174.41/brikitiki

    http://91.219.236.148/brikitiki

    https://t.me/brikitiki

rc4.plain
rc4.plain

Extracted

Family

pony

C2

http://londonpaerl.co.uk/yesup/gate.php

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Targets

    • Target

      Downloads.exe

    • Size

      20MB

    • MD5

      1f8d2846109b9b9fdadb28ba1492dbff

    • SHA1

      6a89d407a8cbe41392fe8771c9b4ab01e479bd2d

    • SHA256

      39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148

    • SHA512

      33a5dd606f2f4c1513189560989a3c61cbd47b2a282e7d32798e548f4d53a421075d23a416ce443fb91121c24b79c6132bd652e069cdf063f9f2480e2bb5b452

    • SSDEEP

      393216:NCaD/8a2qhzNvMnSVtxr6lTyuF0WOifSRrd1cFKe9CX5QqiMikP537aXmb0r:4aDkalhpZ0lVHSzevqeMvbU

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Detect Blackmoon payload

    • Detect PurpleFox Rootkit

      Detect PurpleFox Rootkit.

    • Detects Smokeloader packer

    • Djvu Ransomware

      Ransomware which is a variant of the STOP family.

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Oski

      Oski is an infostealer targeting browser data, crypto wallets.

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • PurpleFox

      PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • UAC bypass

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Async RAT payload

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Modifies Windows Firewall

    • Sets DLL path for service in the registry

    • Sets service image path in registry

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Modifies file permissions

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks