Resubmissions

28/07/2023, 22:00

230728-1wmqlshh67 10

28/07/2023, 21:41

230728-1j9plshh34 8

General

  • Target

    S500 RAT.rar

  • Size

    30.6MB

  • Sample

    230728-1wmqlshh67

  • MD5

    ae9d5e5ce42e7a4ca5044b5cf4797963

  • SHA1

    e1812897468f019b86ed90462b19352560f5e68e

  • SHA256

    ce8236f5830160300ae692f18c93ac6c254639683271fe085d96ef4681c37130

  • SHA512

    bda2c3ada8c0ee1354f30def5f8fa83eb0e1e3a8842001d2cb0cbf4e04be2302fd9325779c6a4472c5ac52baec0f7a2e165f1d565c0dc438765c6147bf9f222e

  • SSDEEP

    786432:GV2fXNxAu1ht4FjmN+0K/XGZWxxWaGigyg96UD5z/+:Gwjb1gjmNdsX/xQahs9tU

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://pastebin.com/raw/p2s7tDSd

Targets

    • Target

      S500 RAT.rar

    • Size

      30.6MB

    • MD5

      ae9d5e5ce42e7a4ca5044b5cf4797963

    • SHA1

      e1812897468f019b86ed90462b19352560f5e68e

    • SHA256

      ce8236f5830160300ae692f18c93ac6c254639683271fe085d96ef4681c37130

    • SHA512

      bda2c3ada8c0ee1354f30def5f8fa83eb0e1e3a8842001d2cb0cbf4e04be2302fd9325779c6a4472c5ac52baec0f7a2e165f1d565c0dc438765c6147bf9f222e

    • SSDEEP

      786432:GV2fXNxAu1ht4FjmN+0K/XGZWxxWaGigyg96UD5z/+:Gwjb1gjmNdsX/xQahs9tU

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks