Overview

overview

8

Static

static

1

disclaimer.bat

windows7-x64

1

disclaimer.bat

windows10-2004-x64

1

install req.bat

windows7-x64

1

install req.bat

windows10-2004-x64

1

main.py

windows7-x64

3

main.py

windows10-2004-x64

3

setup.bat

windows7-x64

1

setup.bat

windows10-2004-x64

1

start.bat

windows7-x64

1

start.bat

windows10-2004-x64

1

web/gui.html

windows7-x64

1

web/gui.html

windows10-2004-x64

8

web/index.js

windows7-x64

1

web/index.js

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cleaner.rar

  • Size

    118KB

  • Sample

    230331-yxncesed5y

  • MD5

    01041d92241a26e6f256fdfa4ea30e35

  • SHA1

    06dbb57a36acf53d3ff2120327be5fac5f6894c7

  • SHA256

    77e6ae4adb21785c15b5345027e002b880e5ac3488a53567a977cd8f71011d25

  • SHA512

    10d92f1d18115701f5b1b10c1c7476dbec110e882f87b5f8e407eb6ec081b2cc23f0853d75c8c607a4e3aa213de2d07a61a290e04d9414e08d0d95a3dee6db9d

  • SSDEEP

    3072:qh6doFX4ayTh0hru1i/y7LsjdP8d/emgA1KcGjmnA0KdqV7Ty:qjXoTh6aius58d/ef0Cqdy

Score
8/10
discoverypersistence

Malware Config

Targets

    • Target

      disclaimer.bat

    • Size

      1KB

    • MD5

      850a38428a7ca32521ada820e387b56f

    • SHA1

      f7486042163e0b9af6c98039252ed56d76a520c9

    • SHA256

      1f35ae3a5153871955da8fd1941c9755ff4ba37c2c9b92787a75e81098d08f27

    • SHA512

      d82935da66287a3ae031be07958cfbd07a6bddf6c13204165542c1325e0436a5b9a58dc2e90ef7433134d51f638a2ec485655fe3acafa2bb8df944e2c5eb8dfc

    Score
    1/10
    behavioral1behavioral2

    • Target

      install req.bat

    • Size

      44B

    • MD5

      c0bc736bea452911dc1d05b2057f7930

    • SHA1

      f791d45638d871b3363d7d901a1d02e682d984c9

    • SHA256

      75063883cdc9f24f0a5be967af68e302a3c89f0fb8876900e82b70786f2ca854

    • SHA512

      34d46be255a96cb2c6d967d6f50401852085f0634bc7ca4cf96d32e0907146b3c5e67276bd8de00efbeef27ccb31442a04501d50b4fa7d27c8f0ae411e60b805

    Score
    1/10
    behavioral3behavioral4

    • Target

      main.py

    • Size

      15KB

    • MD5

      ed4e86bf3dd9f31e190fb418b7552f11

    • SHA1

      50a77749d4af0a2d49d9a6737abfd2b4435b80e5

    • SHA256

      3fe44974b93aaeaed238552a19450200a084386795c1248d92c5daf94208da20

    • SHA512

      ab38bbed356ce6f80e0b82b4ab22db8cf7479b80d1861eef2566367c641f4b4df9b80a2a8025f5b535810be3659509b4ce26d34d798230ba1aad6e3ee221a0db

    • SSDEEP

      384:XNDTCbTCCTCcTCETCITCXTCATCCT8fETrT7T/TRTdUPAtUcwS7AsKup:dfKdl3l69dSonXrdObS7AsKup

    Score
    3/10
    behavioral5behavioral6

    • Target

      setup.bat

    • Size

      906B

    • MD5

      19b05a9c595bbf8e6d7ea7a1a35ded4e

    • SHA1

      eede03b5f9ef64201b7705814237f02df5e797a1

    • SHA256

      c72154cb4e64232c924b09bd056b2dd38fe58df261684b2cfc73e3567215925c

    • SHA512

      9775ce33e8bfe2d44db0bd2e093d6e20f0f6cd2039e900eec1b6ff8203b28bb19939992b2deb82aa55ca2fe1df537c9069a7e61930ca4f557a4fcd0c4ef1db21

    Score
    1/10
    behavioral7behavioral8

    • Target

      start.bat

    • Size

      367B

    • MD5

      431287d8e6a9977ff7e81e517a83be8c

    • SHA1

      276d9fa1fa4df70d63a42c187d8c14e98cbd32b1

    • SHA256

      3a045f35813c68b06a3a681dc3b2db9589b221137e2a6a55838dbd8495c0f898

    • SHA512

      57a4ac4ef62990b5d36ce567a8abcde78aa7cec7f6cb0392039ac09023f18fca3b11331128832aec09a50d1ba51427c3758ba97000c1d556472336fdfcc45d1f

    Score
    1/10
    behavioral10behavioral9

    • Target

      web/gui.html

    • Size

      8KB

    • MD5

      951d9d6dafedc809c079b0a1417cdce0

    • SHA1

      f97243a5c605517f3880b5538f3d3a2ae0cb2f63

    • SHA256

      84241f49dc4a21584edfb53d3fce0554ca7a01d134f8911b827fd511ebeafde6

    • SHA512

      90457147ebb361cd12d19b0a1a7ed9e7b6c88b686814cc201770a7312a036b11c8612bb5f56140a6debecbc65ac74ce8de7662d9a471803caa7bea9e6974d8dd

    • SSDEEP

      192:75KUJbVGJJbpo/MJb4C6JbBcJb9aARDXEnL0Jbi:lXujIcbh7QII

    Score
    8/10
    discoverypersistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral11behavioral12

    • Target

      web/index.js

    • Size

      6KB

    • MD5

      7daa1a8715bdbf58c241fc65ee4e545c

    • SHA1

      08fc1179c7de732ce0ff0f5de6083b5f6d8e044d

    • SHA256

      11bfa3e58826021c025e51fe484c05540e733318545a3c4b7c6c99748bfa230d

    • SHA512

      d86dcc661fe5b45b9fa5041ee46e1a87ece55f1cda86006b7c51b77305c344100c50d17c57a542a56768110356efea8645dec072b3686680c162bd4084f76116

    • SSDEEP

      192:+XOZ0pXtLrkIpZaNahsei4iqiBCiOimi+ieQ:uOejLdyei4iqiBCiOimi+ieQ

    Score
    1/10
    behavioral13behavioral14

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

5
T1082

Query Registry

5
T1012

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks