General

  • Target

    S-400-RAT-v3.0.zip

  • Size

    12.1MB

  • Sample

    230623-p58hwsgc5v

  • MD5

    d4156a2e76637e8580dabec5c67742fe

  • SHA1

    27972b889c0d8f07e0a1b0dff8f2f94c6c26e6cf

  • SHA256

    2b513b72ec8cb1f4571f84c59d443cf93d652d65816a582fb07db381bb8afbea

  • SHA512

    3d25bbbc905a42f195314d548808355c38622d827866cc452338526551fe06b78ac89279b09ed524caee365be6a2a463bc75a6ca41692c750c5d0978a637451a

  • SSDEEP

    393216:3byDExsDbkoBhj/cL+rH/WRWdJMa1CeLLuS:32JDRISrfWRgMa11LuS

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/NGROKC/CTC/raw/main/cvn.exe

Targets

    • Target

      S-400-RAT-v3.0.zip

    • Size

      12.1MB

    • MD5

      d4156a2e76637e8580dabec5c67742fe

    • SHA1

      27972b889c0d8f07e0a1b0dff8f2f94c6c26e6cf

    • SHA256

      2b513b72ec8cb1f4571f84c59d443cf93d652d65816a582fb07db381bb8afbea

    • SHA512

      3d25bbbc905a42f195314d548808355c38622d827866cc452338526551fe06b78ac89279b09ed524caee365be6a2a463bc75a6ca41692c750c5d0978a637451a

    • SSDEEP

      393216:3byDExsDbkoBhj/cL+rH/WRWdJMa1CeLLuS:32JDRISrfWRgMa11LuS

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Modifies Windows Firewall

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v6

Tasks