Overview

overview

10

Static

static

3

fatalerror.exe

windows7-x64

10

fatalerror.exe

windows10-1703-x64

10

fatalerror.exe

windows10-2004-x64

10

fatalerror.exe

windows11-21h2-x64

10

Resubmissions

11-04-2024 15:50

240411-tacvysaa6y 10

11-04-2024 14:37

240411-ry8lesde42 10

09-04-2024 17:30

240409-v3hscaha8y 10

08-01-2024 17:24

240108-vy3xqaecgj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fatalerror.exe

  • Size

    19.9MB

  • Sample

    240108-vy3xqaecgj

  • MD5

    62df3bbc2aaeddab1942f1ed0b2db429

  • SHA1

    a31b35f778fa5bec3a09b215db38d891fa45510d

  • SHA256

    1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254

  • SHA512

    6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd

  • SSDEEP

    393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc

Score
10/10
dcratmodiloadernjratphorphiexsalitysmokeloaderwannacryxtremeratxwormzgratggbackdoorbootkitdiscoveryevasioninfostealerloaderpersistenceransomwareratspywaretrojanupxworm

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

TcK6iKFmjhETcMYi

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/RqgnZ1zk

aes.plain

Extracted

Family

xworm

C2

tr1.localto.net:39186

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Microsoft Storge.exe

Extracted

Family

xtremerat

C2

antonioxx.no-ip.org

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Family

njrat

Version

im523

Botnet

gg

C2

5.tcp.eu.ngrok.io:13017

Mutex

8b094ade9743639b941a0474f6aa7525

Attributes
  • reg_key

    8b094ade9743639b941a0474f6aa7525

  • splitter

    |'|'|

Extracted

Family

smokeloader

Version

2020

C2

http://host-file-host6.com/

http://host-host-file8.com/
rc4.i32
rc4.i32

Extracted

Family

phorphiex

C2

http://185.215.113.66/

Wallets

0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b

THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto

1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6

qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL

LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX

rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH

ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ

48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg

3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH

t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn

bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd

bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg

bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut

GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �
Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Targets

    • Target

      fatalerror.exe

    • Size

      19.9MB

    • MD5

      62df3bbc2aaeddab1942f1ed0b2db429

    • SHA1

      a31b35f778fa5bec3a09b215db38d891fa45510d

    • SHA256

      1d2822a34aa548e8e890e33b66cf6722e0bdb82944dae1b53feaf902790c5254

    • SHA512

      6ab2b5f72db8b6e386c142e330807bd2eec9983c04ab034c4011c053a5be0294514f06693c66a9f8b6bcc7b60d1646810f7c2cda4379b6cdbda2f9d5d047bfdd

    • SSDEEP

      393216:jDLmcuBUDiQv3FlGzbhweRo3W6aJZCN7TW/0k6CN1VWtES:jflGw3F6dwijJZCN2sA1Vc

    Score
    10/10
    dcratmodiloadersalitywannacryxtremeratxwormzgratbackdoorbootkitdiscoveryevasioninfostealerpersistenceransomwareratspywaretrojanupxwormnjratphorphiexsmokeloaderggloader

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect XtremeRAT payload

    • Detect Xworm Payload

    • Detect ZGRat V1

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies firewall policy service

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • Phorphiex

      Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.

      wormtrojanloaderphorphiex

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • UAC bypass

      evasiontrojan

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • Windows security bypass

      evasiontrojan

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • ModiLoader Second Stage

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Program crash

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

10
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

File and Directory Permissions Modification

1
T1222

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

System Information Discovery

4
T1082

Query Registry

3
T1012

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

2
T1490

Resource Development

Reconnaissance

Tasks