Overview

overview

9

Static

static

8

Mbot repac...37.exe

windows7-x64

1

Mbot repac...37.exe

windows10-2004-x64

1

Mbot repac...ur.dll

windows7-x64

1

Mbot repac...ur.dll

windows10-2004-x64

1

Mbot repac...ok.exe

windows7-x64

1

Mbot repac...ok.exe

windows10-2004-x64

1

Mbot repac...ck.dll

windows7-x64

8

Mbot repac...ck.dll

windows10-2004-x64

8

Mbot repac...er.exe

windows7-x64

9

Mbot repac...er.exe

windows10-2004-x64

3

Mbot repac...10.exe

windows7-x64

9

Mbot repac...10.exe

windows10-2004-x64

9

Mbot repac...nd.exe

windows7-x64

1

Mbot repac...nd.exe

windows10-2004-x64

1

Mbot repac...lk.dll

windows7-x64

1

Mbot repac...lk.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b93aaa33295a7b67f4b350268b6cfe9fbea7916f5e40918755dfd47af78828f9

  • Size

    4.6MB

  • Sample

    221126-mmvg7sda4y

  • MD5

    351741174cd2477d0a6f61d4d6bfa454

  • SHA1

    b6de248a416355b7a4043bc12ba79bc448ed7803

  • SHA256

    b93aaa33295a7b67f4b350268b6cfe9fbea7916f5e40918755dfd47af78828f9

  • SHA512

    640c4067abd9c450deb5f7ec93814c32115f3a84e054e7b200b831cc560628bf70f085047c7b36748f04f7934957a307f4f7e8433b6f7fa97491e37f69c031c0

  • SSDEEP

    98304:0FzsFQm22Erv/8eOQMYCOFJob9tab05ue6OtLrMyDT/vtpQ:BH22EQR9ta7OtLgYvQ

Score
9/10
bootkitevasionpersistencetrojanvmprotect

Malware Config

Targets

    • Target

      Mbot repack by DarkSideOfSoul/Atlava Dll Injector by Phoenix1337.exe

    • Size

      73KB

    • MD5

      6843ef86496ed523983392599062c965

    • SHA1

      7a0666c6a8f9379fc07cba26cb383a4921c1bde5

    • SHA256

      9bb160e1f7ada754b40fbac56407caacaafd9a7d02f03af9e0355e8e263d72b4

    • SHA512

      a426d5f9cc103cb6f22bcce3b9b07877a66e97bf671b928956afeccdf592dfe2b9269b2dd48c9b28c0a7ec4f27c8e949ffdd5fb6a84511b9da30a531bf963919

    • SSDEEP

      1536:L+1QrC5pV23IrXWhBXcbDaEbTI02gDO9kOgPcG/cPnU18g:L0pVkEXWPJNhkOgPcG0fIH

    Score
    1/10
    behavioral1behavioral2

    • Target

      Mbot repack by DarkSideOfSoul/Detour.dll

    • Size

      58KB

    • MD5

      519fb61d24a6bb5ca730b9ecbd201593

    • SHA1

      400f472c2fdc54bb36e16185a6c3d8ae2d00ff60

    • SHA256

      c643712e9554395345268041e96450143a30a66638cb8f35f8307bb95b4aacc4

    • SHA512

      fda314ff39f0a4e6cf3cb07f1f0750d238ac824c94eb8e02c66feb7a5f90758b1bfebf4694b665d60d4cbcd41aaedfc9f140bc44d85400cd7f0e767962984c0e

    • SSDEEP

      768:W669srHegXVuwbVzAEsc3zMfJZLHDtPBCBGjqGkhdQJyRPRuXAWu5jZA:W6LrHVuk/x3ziJP4BGOdxRuvuvA

    Score
    1/10
    behavioral3behavioral4

    • Target

      Mbot repack by DarkSideOfSoul/Hook.exe

    • Size

      12KB

    • MD5

      ef18946a2c84761c004427de4bcc91f0

    • SHA1

      1f92db61c82bab9e147d1bb3f8cb52d27883d30d

    • SHA256

      2c7bea9edacb58def6642e98cf22b5c6a31b1b37e05dd9370b8085ab01f18f0b

    • SHA512

      a6df16dcdd6bafc8bc9c3ba8f6f2107a596052b4da1856aaab67e70789a8dd2472b96dac2f5cbaedae5c14768f250f7abef79140861690389f9421518cbcac9e

    • SSDEEP

      192:gNSfJHfaB/zQVyTe8u4Xc57e+JbIfuWgelZ1JJ9hqy2c:6OHfDM6ucUebIfuWnlnhd

    Score
    1/10
    behavioral5behavioral6

    • Target

      Mbot repack by DarkSideOfSoul/mBotCrack.dll

    • Size

      416KB

    • MD5

      e9ddc2b1b1e7d85d59dfd59c1d45c692

    • SHA1

      d469b5d97c9e1eee2b56191643fb7de9a143ad3f

    • SHA256

      760da9c1dfe9663cb1a49247b6d0be4b9f9a1ecbffc8494d71f1a856ee6ae112

    • SHA512

      9019c4b982a090f5c6d50d86f7587a63ae9d18747037b4223d10f065665bb205dcf2a159ca3f815708c9e2e55be8770eb96fb035d22a78c6ba16effd3e507062

    • SSDEEP

      6144:oXGSCXC2+SrIjjVSftNsxq8UmSAoKB8QKnDzxMntK08JcI55s4Kbdui7IWol4OVG:o2fC2jIvVSVNszOnytKPG/ZdZoTRe

    Score
    8/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral7behavioral8

    • Target

      Mbot repack by DarkSideOfSoul/mBotLoader.exe

    • Size

      2.5MB

    • MD5

      b864c557c4131578a9685c414003377d

    • SHA1

      7babee9d4d2925337d365a2b1a74f931f65f9713

    • SHA256

      7991da35eaedb012559937785a75042dffb0112c38ed25d02d61aac3504b8fae

    • SHA512

      0bac75953ed9dbd67656d04316d56be82c1c8db119c5ab1a1d1a5d17a4ea13afd933feb7ca1d97f16d5a18733b6b3ce6035dd992881f9c2cf90cb7c1f7819288

    • SSDEEP

      49152:2jl1ZZdGyoXqeIELvYiCCA8hhsysIKedW8RmkeVWnVYjuc8mjHf:2jhGyo1IovYiCCpPmIVWuS/

    Score
    9/10
    bootkitevasionpersistencevmprotect

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral10behavioral9

    • Target

      Mbot repack by DarkSideOfSoul/mBot_vSRO110.exe

    • Size

      3.0MB

    • MD5

      1c9e5f224771314c95a8902ebb177d5f

    • SHA1

      652e3bef6d1d609e5e23f00c3c8bcbaa96953719

    • SHA256

      4f17791bfbade207c01c4de9ed7d592c536eea6eee020623e378418ed4131717

    • SHA512

      ba246b4f8644976bee4a6a6e5ee0f7682ff31772418153d9a63e3cbc6b3a46b386dfc5a1a5eada3746fd8012ce305a2fa993b412cc24ffea9279ebd82be845d1

    • SSDEEP

      49152:0dXxm+8HV8+72BnIM7BM9NK/JHqN5KdXsmmwUhbcUPceEw7+j66FsoptheLLXE:WxcdYI+y9cAKlsVwObcU5Ew7BaBnh2X

    Score
    9/10
    bootkitevasionpersistencetrojan

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Checks whether UAC is enabled

      evasiontrojan

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral11behavioral12

    • Target

      Mbot repack by DarkSideOfSoul/merrsend.exe

    • Size

      5KB

    • MD5

      7beeb35c3bde8caab110b5dc3a45218c

    • SHA1

      fa36661a88ec5d68b9bec81dc7e216a3ed696aae

    • SHA256

      62738c3e6e2dc132dbce415191383c64b76e460f80af5714d7ef4a4aceabc25a

    • SHA512

      cd9ccae0d8124a8d7427e1074da7d0ee20a6646bba0bb01e3d177af714235b1466cba155365fe3ab8382d2bf780e0f95a7ace75e76b1c0e68800b425f0524795

    • SSDEEP

      48:63P/t9LRlWFcalXAPBtToWuJLiliwvWcOJph+gOJDV3VkYf8l7ZWyA8ldjZ6FWSu:mXW/XAJyjJnnOJDREdWwPVCzNt

    Score
    1/10
    behavioral13behavioral14

    • Target

      Mbot repack by DarkSideOfSoul/psilk.dll

    • Size

      87KB

    • MD5

      f10823b20021569726929cbe2b3e9114

    • SHA1

      b6c2d20b32bb5ed658e050dd046e307137fe24b2

    • SHA256

      bcc0a22aabea03511150c83e0573ce73d0035d2df7fe3302d0cf499066aa6457

    • SHA512

      cff9344b18d2ab2a19bdcab633a74a7eff8b3e3740d5293f695d57a7345cb0596cc56d0b6e151d876e190fabf1f051a879e9b52745a10bc63f48b16b68e4d894

    • SSDEEP

      1536:l0ylvve3dQYQrk5cbGmQ5Rzyt0yMm0OFgzLa5k0II:SovGj8ycbGmQ5RzytVMm0OFga5r

    Score
    1/10
    behavioral15behavioral16

MITRE ATT&CK Enterprise v6

Tasks