General
-
Target
onetap v3 20220427.zip
-
Size
7.1MB
-
Sample
230201-kwvhfsee4x
-
MD5
968b476f2246e218e34f5a13083ee861
-
SHA1
ca71fcaca04e5bd20d9d3457458af843879db240
-
SHA256
bf74bb4fe1c3fc2b765fe724d28ee861484a51003af6a145a79e7c84044fbffb
-
SHA512
4bdfc298c955b8af74eee90afc826ffbeb5df686440132b756f0d05883a7474586cc5f6335612d704b79ac22b9db91207f873ff5f9b3c746e34f22044dbc6cb5
-
SSDEEP
196608:EI4slDfiH4sGUyKT0RQrIVO7IscNASPamVLVCQ:CoDbsmKVdihOQ
Behavioral task
behavioral1
Sample
onetap v3.exe
Resource
win10v2004-20230220-en
Malware Config
Extracted
azorult
http://boglogov.site/index.php
Extracted
lokibot
http://blesblochem.com/two/gates1/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
onetap v3.exe
-
Size
7.2MB
-
MD5
103e516c943ad845c789ea01c751ec06
-
SHA1
949d2e33507a0096e889a8f14f743f717862d925
-
SHA256
5af08c95cdab3ec15519685b4a5d543ab5bff7ac9fdc6d5fc54de2f32fdc0914
-
SHA512
56c2ae4e264bbb2d41d07e8fddeae07d16b5a074d6c1ca1ec2e4ce58642de9541f24740904f83486bb28ea4043cf8c32f21974ad98fad981baa68ed830e2c05f
-
SSDEEP
196608:HsGgBjriZeOm0+qvG1eRi7U7g2iFoIHcsvNvK:J6jrOA0trklA
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Modifies visibility of file extensions in Explorer
-
Modifies visiblity of hidden/system files in Explorer
-
Grants admin privileges
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Sets DLL path for service in the registry
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Modifies file permissions
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
3Hidden Files and Directories
4Account Manipulation
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task
1Defense Evasion
Modify Registry
9Disabling Security Tools
3Hidden Files and Directories
4Bypass User Account Control
1Impair Defenses
1File Permissions Modification
1