General
-
Target
Downloads.exe
-
Size
20.4MB
-
Sample
221024-y84hsaade9
-
MD5
1f8d2846109b9b9fdadb28ba1492dbff
-
SHA1
6a89d407a8cbe41392fe8771c9b4ab01e479bd2d
-
SHA256
39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148
-
SHA512
33a5dd606f2f4c1513189560989a3c61cbd47b2a282e7d32798e548f4d53a421075d23a416ce443fb91121c24b79c6132bd652e069cdf063f9f2480e2bb5b452
-
SSDEEP
393216:NCaD/8a2qhzNvMnSVtxr6lTyuF0WOifSRrd1cFKe9CX5QqiMikP537aXmb0r:4aDkalhpZ0lVHSzevqeMvbU
Score
10/10
Malware Config
Extracted
Path
C:\Program Files\OpenVPN\doc\openvpn.8.html
Ransom Note
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils 0.18.1: http://docutils.sourceforge.net/" />
<title>openvpn</title>
<style type="text/css">
/*
:Author: David Goodger ([email protected])
:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
:Copyright: This stylesheet has been placed in the public domain.
Default cascading style sheet for the HTML output of Docutils.
See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
customize this style sheet.
*/
/* used to remove borders from tables and images */
.borderless, table.borderless td, table.borderless th {
border: 0 }
table.borderless td, table.borderless th {
/* Override padding for "table.docutils td" with "! important".
The right padding separates the table cells. */
padding: 0 0.5em 0 0 ! important }
.first {
/* Override more specific margin styles with "! important". */
margin-top: 0 ! important }
.last, .with-subtitle {
margin-bottom: 0 ! important }
.hidden {
display: none }
.subscript {
vertical-align: sub;
font-size: smaller }
.superscript {
vertical-align: super;
font-size: smaller }
a.toc-backref {
text-decoration: none ;
color: black }
blockquote.epigraph {
margin: 2em 5em ; }
dl.docutils dd {
margin-bottom: 0.5em }
object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
overflow: hidden;
}
/* Uncomment (and remove this text!) to get bold-faced definition list terms
dl.docutils dt {
font-weight: bold }
*/
div.abstract {
margin: 2em 5em }
div.abstract p.topic-title {
font-weight: bold ;
text-align: center }
div.admonition, div.attention, div.caution, div.danger, div.error,
div.hint, div.important, div.note, div.tip, div.warning {
margin: 2em ;
border: medium outset ;
padding: 1em }
div.admonition p.admonition-title, div.hint p.admonition-title,
div.important p.admonition-title, div.note p.admonition-title,
div.tip p.admonition-title {
font-weight: bold ;
font-family: sans-serif }
div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title, .code .error {
color: red ;
font-weight: bold ;
font-family: sans-serif }
/* Uncomment (and remove this text!) to get reduced vertical space in
compound paragraphs.
div.compound .compound-first, div.compound .compound-middle {
margin-bottom: 0.5em }
div.compound .compound-last, div.compound .compound-middle {
margin-top: 0.5em }
*/
div.dedication {
margin: 2em 5em ;
text-align: center ;
font-style: italic }
div.dedication p.topic-title {
font-weight: bold ;
font-style: normal }
div.figure {
margin-left: 2em ;
margin-right: 2em }
div.footer, div.header {
clear: both;
font-size: smaller }
div.line-block {
display: block ;
margin-top: 1em ;
margin-bottom: 1em }
div.line-block div.line-block {
margin-top: 0 ;
margin-bottom: 0 ;
margin-left: 1.5em }
div.sidebar {
margin: 0 0 0.5em 1em ;
border: medium outset ;
padding: 1em ;
background-color: #ffffee ;
width: 40% ;
float: right ;
clear: right }
div.sidebar p.rubric {
font-family: sans-serif ;
font-size: medium }
div.system-messages {
margin: 5em }
div.system-messages h1 {
color: red }
div.system-message {
border: medium outset ;
padding: 1em }
div.system-message p.system-message-title {
color: red ;
font-weight: bold }
div.topic {
margin: 2em }
h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
margin-top: 0.4em }
h1.title {
text-align: center }
h2.subtitle {
text-align: center }
hr.docutils {
width: 75% }
img.align-left, .figure.align-left, object.align-left, table.align-left {
clear: left ;
float: left ;
margin-right: 1em }
img.align-right, .figure.align-right, object.align-right, table.align-right {
clear: right ;
float: right ;
margin-left: 1em }
img.align-center, .figure.align-center, object.align-center {
display: block;
margin-left: auto;
margin-right: auto;
}
table.align-center {
margin-left: auto;
margin-right: auto;
}
.align-left {
text-align: left }
.align-center {
clear: both ;
text-align: center }
.align-right {
text-align: right }
/* reset inner alignment in figures */
div.align-right {
text-align: inherit }
/* div.align-center * { */
/* text-align: left } */
.align-top {
vertical-align: top }
.align-middle {
vertical-align: middle }
.align-bottom {
vertical-align: bottom }
ol.simple, ul.simple {
margin-bottom: 1em }
ol.arabic {
list-style: decimal }
ol.loweralpha {
list-style: lower-alpha }
ol.upperalpha {
list-style: upper-alpha }
ol.lowerroman {
list-style: lower-roman }
ol.upperroman {
list-style: upper-roman }
p.attribution {
text-align: right ;
margin-left: 50% }
p.caption {
font-style: italic }
p.credits {
font-style: italic ;
font-size: smaller }
p.label {
white-space: nowrap }
p.rubric {
font-weight: bold ;
font-size: larger ;
color: maroon ;
text-align: center }
p.sidebar-title {
font-family: sans-serif ;
font-weight: bold ;
font-size: larger }
p.sidebar-subtitle {
font-family: sans-serif ;
font-weight: bold }
p.topic-title {
font-weight: bold }
pre.address {
margin-bottom: 0 ;
margin-top: 0 ;
font: inherit }
pre.literal-block, pre.doctest-block, pre.math, pre.code {
margin-left: 2em ;
margin-right: 2em }
pre.code .ln { color: grey; } /* line numbers */
pre.code, code { background-color: #eeeeee }
pre.code .comment, code .comment { color: #5C6576 }
pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
pre.code .literal.string, code .literal.string { color: #0C5404 }
pre.code .name.builtin, code .name.builtin { color: #352B84 }
pre.code .deleted, code .deleted { background-color: #DEB0A1}
pre.code .inserted, code .inserted { background-color: #A3D289}
span.classifier {
font-family: sans-serif ;
font-style: oblique }
span.classifier-delimiter {
font-family: sans-serif ;
font-weight: bold }
span.interpreted {
font-family: sans-serif }
span.option {
white-space: nowrap }
span.pre {
white-space: pre }
span.problematic {
color: red }
span.section-subtitle {
/* font-size relative to parent (h1..h6 element) */
font-size: 80% }
table.citation {
border-left: solid 1px gray;
margin-left: 1px }
table.docinfo {
margin: 2em 4em }
table.docutils {
margin-top: 0.5em ;
margin-bottom: 0.5em }
table.footnote {
border-left: solid 1px black;
margin-left: 1px }
table.docutils td, table.docutils th,
table.docinfo td, table.docinfo th {
padding-left: 0.5em ;
padding-right: 0.5em ;
vertical-align: top }
table.docutils th.field-name, table.docinfo th.docinfo-name {
font-weight: bold ;
text-align: left ;
white-space: nowrap ;
padding-left: 0 }
/* "booktabs" style (no vertical lines) */
table.docutils.booktabs {
border: 0px;
border-top: 2px solid;
border-bottom: 2px solid;
border-collapse: collapse;
}
table.docutils.booktabs * {
border: 0px;
}
table.docutils.booktabs th {
border-bottom: thin solid;
text-align: left;
}
h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
font-size: 100% }
ul.auto-toc {
list-style-type: none }
</style>
</head>
<body>
<div class="document" id="openvpn">
<h1 class="title">openvpn</h1>
<h2 class="subtitle" id="secure-ip-tunnel-daemon">Secure IP tunnel daemon</h2>
<table class="docinfo" frame="void" rules="none">
<col class="docinfo-name" />
<col class="docinfo-content" />
<tbody valign="top">
<tr class="manual-section field"><th class="docinfo-name">Manual section:</th><td class="field-body">8</td>
</tr>
<tr class="manual-group field"><th class="docinfo-name">Manual group:</th><td class="field-body">System Manager's Manual</td>
</tr>
</tbody>
</table>
<div class="section" id="synopsis">
<h1>SYNOPSIS</h1>
<div class="line-block">
<div class="line"><tt class="docutils literal">openvpn</tt> [ options ... ]</div>
<div class="line"><tt class="docutils literal">openvpn</tt> <tt class="docutils literal"><span class="pre">--help</span></tt></div>
</div>
</div>
<div class="section" id="introduction">
<h1>INTRODUCTION</h1>
<p>OpenVPN is an open source VPN daemon by James Yonan. Because OpenVPN
tries to be a universal VPN tool offering a great deal of flexibility,
there are a lot of options on this manual page. If you're new to
OpenVPN, you might want to skip ahead to the examples section where you
will see how to construct simple VPNs on the command line without even
needing a configuration file.</p>
<p>Also note that there's more documentation and examples on the OpenVPN
web site: <a class="reference external" href="https://openvpn.net/">https://openvpn.net/</a></p>
<p>And if you would like to see a shorter version of this manual, see the
openvpn usage message which can be obtained by running <strong>openvpn</strong>
without any parameters.</p>
</div>
<div class="section" id="description">
<h1>DESCRIPTION</h1>
<p>OpenVPN is a robust and highly flexible VPN daemon. OpenVPN supports
SSL/TLS security, ethernet bridging, TCP or UDP tunnel transport through
proxies or NAT, support for dynamic IP addresses and DHCP, scalability
to hundreds or thousands of users, and portability to most major OS
platforms.</p>
<p>OpenVPN is tightly bound to the OpenSSL library, and derives much of its
crypto capabilities from it.</p>
<p>OpenVPN supports conventional encryption using a pre-shared secret key
<strong>(Static Key mode)</strong> or public key security <strong>(SSL/TLS mode)</strong> using
client & server certificates. OpenVPN also supports non-encrypted
TCP/UDP tunnels.</p>
<p>OpenVPN is designed to work with the <strong>TUN/TAP</strong> virtual networking
interface that exists on most platforms.</p>
<p>Overall, OpenVPN aims to offer many of the key features of IPSec but
with a relatively lightweight footprint.</p>
</div>
<div class="section" id="options">
<h1>OPTIONS</h1>
<p>OpenVPN allows any option to be placed either on the command line or in
a configuration file. Though all command line options are preceded by a
double-leading-dash ("--"), this prefix can be removed when an option is
placed in a configuration file.</p>
<div class="section" id="generic-options">
<h2>Generic Options</h2>
<p>This section covers generic options which are accessible regardless of
which mode OpenVPN is configured as.</p>
<table class="docutils option-list" frame="void" rules="none">
<col class="option" />
<col class="description" />
<tbody valign="top">
<tr><td class="option-group">
<kbd><span class="option">--help</span></kbd></td>
<td>Show options.</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--auth-nocache</span></kbd></td>
<td><p class="first">Don't cache <tt class="docutils literal"><span class="pre">--askpass</span></tt> or <tt class="docutils literal"><span class="pre">--auth-user-pass</span></tt> username/passwords in
virtual memory.</p>
<p>If specified, this directive will cause OpenVPN to immediately forget
username/password inputs after they are used. As a result, when OpenVPN
needs a username/password, it will prompt for input from stdin, which
may be multiple times during the duration of an OpenVPN session.</p>
<p>When using <tt class="docutils literal"><span class="pre">--auth-nocache</span></tt> in combination with a user/password file
and <tt class="docutils literal"><span class="pre">--chroot</span></tt> or <tt class="docutils literal"><span class="pre">--daemon</span></tt>, make sure to use an absolute path.</p>
<p class="last">This directive does not affect the <tt class="docutils literal"><span class="pre">--http-proxy</span></tt> username/password.
It is always cached.</p>
</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--cd <var>dir</var></span></kbd></td>
<td><p class="first">Change directory to <tt class="docutils literal">dir</tt> prior to reading any files such as
configuration files, key files, scripts, etc. <tt class="docutils literal">dir</tt> should be an
absolute path, with a leading "/", and without any references to the
current directory such as <code>.</code> or <code>..</code>.</p>
<p class="last">This option is useful when you are running OpenVPN in <tt class="docutils literal"><span class="pre">--daemon</span></tt> mode,
and you want to consolidate all of your OpenVPN control files in one
location.</p>
</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--chroot <var>dir</var></span></kbd></td>
<td><p class="first">Chroot to <tt class="docutils literal">dir</tt> after initialization. <tt class="docutils literal"><span class="pre">--chroot</span></tt> essentially
redefines <tt class="docutils literal">dir</tt> as being the top level directory tree (/). OpenVPN
will therefore be unable to access any files outside this tree. This can
be desirable from a security standpoint.</p>
<p>Since the chroot operation is delayed until after initialization, most
OpenVPN options that reference files will operate in a pre-chroot
context.</p>
<p>In many cases, the <tt class="docutils literal">dir</tt> parameter can point to an empty directory,
however complications can result when scripts or restarts are executed
after the chroot operation.</p>
<p class="last">Note: The SSL library will probably need /dev/urandom to be available
inside the chroot directory <tt class="docutils literal">dir</tt>. This is because SSL libraries
occasionally need to collect fresh random. Newer linux kernels and some
BSDs implement a getrandom() or getentropy() syscall that removes the
need for /dev/urandom to be available.</p>
</td></tr>
<tr><td class="option-group">
<kbd><span class="option">--config <var>file</var></span></kbd></td>
<td><p class="first">Load additional config options from <tt class="docutils literal">file</tt> where each line corresponds
to one command line option, but with the leading '--' removed.</p>
<p>If <tt class="docutils literal"><span class="pre">--config</span> file</tt> is the only option to the openvpn command, the
<tt class="docutils literal"><span class="pre">--config</span></tt> can be removed, and the command can be given as <tt class="docutils literal">openvpn
file</tt></p>
<p>Note that configuration files can be nested to a reasonable depth.</p>
<p>Double quotation or single quotation characters ("", '') can be used to
enclose single parameters containing whitespace, and "#" or ";"
characters in the first column can be used to denote comments.</p>
<p>Note that OpenVPN 2.0 and higher performs backslash-based shell escaping
for characters not in single quotations, so the following mappings
should be observed:</p>
<pre class="literal-block">
\\ Maps to a single backslash character (\).
\" Pass a literal doublequote character ("), don't
interpret it as enclosing a parameter.
\[SPACE] Pass a literal space or tab character, don't
interpret it as a parameter delimiter.
</pre>
<p>For example on Windows, use double backslashes to represent pathnames:</p>
<pre class="literal-block">
secret "c:\\OpenVPN\\secret.key"
</pre>
<p>For examples of configuration files, see
<a class="reference external" href="https://openvpn.net/community-resources/how-to/">https://openvpn.net/community-resources/how-to/</a></p>
<p>Here is an example configuration file:</p>
<pre class="last literal-block">
#
# Sample OpenVPN configuration file for
Emails
URLs
http-equiv="Content-Type"
http://docutils.sourceforge.net/"
http://docutils.sf.net/docs/howto/html-stylesheets.html
http-proxy
http-proxy-option
Extracted
Credentials
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
fcb-aws-host-4
Extracted
Family
asyncrat
Version
0.5.7B
Botnet
Default
C2
gfhhjgh.duckdns.org:8050
Mutex
AsyncMutex_6SI8OkPnk
Attributes
-
delay
3
-
install
false
-
install_file
system32.exe
-
install_folder
%AppData%
aes.plain
Extracted
Family
fickerstealer
C2
80.87.192.115:80
Extracted
Family
oski
C2
prepepe.ac.ug
Extracted
Family
redline
Botnet
@zhilsholi
C2
yabynennet.xyz:81
Attributes
-
auth_value
c2d0b7a2ede97b91495c99e75b4f27fb
Extracted
Family
raccoon
Version
1.8.3-hotfix
Botnet
5781468cedb3a203003fdf1f12e72fe98d6f1c0f
Attributes
-
url4cnc
http://194.180.174.53/brikitiki
http://91.219.236.18/brikitiki
http://194.180.174.41/brikitiki
http://91.219.236.148/brikitiki
https://t.me/brikitiki
rc4.plain
rc4.plain
Extracted
Family
pony
C2
http://londonpaerl.co.uk/yesup/gate.php
Extracted
Family
azorult
C2
http://195.245.112.115/index.php
Targets
-
-
Target
Downloads.exe
-
Size
20.4MB
-
MD5
1f8d2846109b9b9fdadb28ba1492dbff
-
SHA1
6a89d407a8cbe41392fe8771c9b4ab01e479bd2d
-
SHA256
39320dd56575ef700b43ad49fff8c5088cb8b6bd05546f376b04d44c976ae148
-
SHA512
33a5dd606f2f4c1513189560989a3c61cbd47b2a282e7d32798e548f4d53a421075d23a416ce443fb91121c24b79c6132bd652e069cdf063f9f2480e2bb5b452
-
SSDEEP
393216:NCaD/8a2qhzNvMnSVtxr6lTyuF0WOifSRrd1cFKe9CX5QqiMikP537aXmb0r:4aDkalhpZ0lVHSzevqeMvbU
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Blackmoon payload
-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Detects Smokeloader packer
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Modifies Installed Components in the registry
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Sets service image path in registry
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Modifies file permissions
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Creates a large amount of network flows
This may indicate a network scan to discover remotely running services.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
4Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1File and Directory Permissions Modification
1Modify Registry
7Scripting
1Virtualization/Sandbox Evasion
1Web Service
1