General
-
Target
S-400-RAT-v3.0.zip
-
Size
12.1MB
-
Sample
230623-p58hwsgc5v
-
MD5
d4156a2e76637e8580dabec5c67742fe
-
SHA1
27972b889c0d8f07e0a1b0dff8f2f94c6c26e6cf
-
SHA256
2b513b72ec8cb1f4571f84c59d443cf93d652d65816a582fb07db381bb8afbea
-
SHA512
3d25bbbc905a42f195314d548808355c38622d827866cc452338526551fe06b78ac89279b09ed524caee365be6a2a463bc75a6ca41692c750c5d0978a637451a
-
SSDEEP
393216:3byDExsDbkoBhj/cL+rH/WRWdJMa1CeLLuS:32JDRISrfWRgMa11LuS
Malware Config
Extracted
https://github.com/NGROKC/CTC/raw/main/cvn.exe
Targets
-
-
Target
S-400-RAT-v3.0.zip
-
Size
12.1MB
-
MD5
d4156a2e76637e8580dabec5c67742fe
-
SHA1
27972b889c0d8f07e0a1b0dff8f2f94c6c26e6cf
-
SHA256
2b513b72ec8cb1f4571f84c59d443cf93d652d65816a582fb07db381bb8afbea
-
SHA512
3d25bbbc905a42f195314d548808355c38622d827866cc452338526551fe06b78ac89279b09ed524caee365be6a2a463bc75a6ca41692c750c5d0978a637451a
-
SSDEEP
393216:3byDExsDbkoBhj/cL+rH/WRWdJMa1CeLLuS:32JDRISrfWRgMa11LuS
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Nirsoft
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-