Overview

overview

10

Static

static

10

injector.exe

windows7-x64

10

injector.exe

windows10-2004-x64

10

release-v2.exe

windows7-x64

10

release-v2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SynapseFromWish.zip

  • Size

    4.1MB

  • Sample

    230721-2ky5yahb25

  • MD5

    672e3253db25821eae7fa34b72a4f28a

  • SHA1

    83d3b2f680efb556a60ca8d9c3b9e2d66f3733a3

  • SHA256

    28e5ae202e258b19680786bfa282d772f5edd8c12c0a3f215d5773c7835f00f2

  • SHA512

    7ed0b60bce2dae1e74efa842e80d3e06d0f07657b507e9804188147a838237f182d2ad12f8d9b38cecc98ec7b4f1fc1c8238f66788de7b519d1c97e63d6512a9

  • SSDEEP

    98304:ilviIY/aalHpBYYF+4V+9f9CnAGV6aYc3dbxyCOjN0TsMdvAiSJGCC3a6:ilv1NGHPpIq+VUnh6QWXjHo16GB3a6

Score
10/10
vanillaratpersistencerat

Malware Config

Targets

    • Target

      injector.exe

    • Size

      114KB

    • MD5

      311b5c55bcd7a7bf987d264a3904770e

    • SHA1

      7df136430c19887e24cff480d6346dc9e75d2029

    • SHA256

      680d7600e0985ce1ec135784b11cf8eef62d4e6dcb540ccc082e339dffa89504

    • SHA512

      686a8041c9c1edb40e86439052813e78dab7b86e6d02b35268cf65780046ba164d3a26481c34247beac9c4518e4f69ceb5228e9f7af378ad83a5449e9573b271

    • SSDEEP

      3072:vgZApdYrD28fbJB2yLtyTQbjjxK3QdjrxivW+DXnH4vymbsF1Y:v/pe1J0QbXtrxivW+D34v4

    Score
    10/10
    vanillaratpersistencerat

    • VanillaRat

      VanillaRat is an advanced remote administration tool coded in C#.

      ratvanillarat

    • Vanilla Rat payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      release-v2.exe

    • Size

      6.1MB

    • MD5

      f7acd0852bb12402618146b0d16f354e

    • SHA1

      211e1174154435cf731ffd70c69cc9050f924174

    • SHA256

      02131c1bff27d6b1d89013f963095a425a32f8506e69799e7087554461bbbd9d

    • SHA512

      6dee8dcc59d0ac59728c7750cba5c570797e91cd39755c4b910c95ee0dfb3b0e1c69d954970a3638ded9ec411927226c2468adc39471671ea7f96ebe402298cc

    • SSDEEP

      196608:pNsMnreFZyDr0jUSCYKdY0ZVeQ+KMm6XOeRJpyrMS0kRkZ0YezmEse7IBWc7pH9K:pyc7/Zd31VC7WcVHdPa4c15D

    Score
    10/10

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops file in Drivers directory

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks