General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
-
Sample
240329-264ybace94
Malware Config
Extracted
http://blockchainjoblist.com/wp-admin/014080/
https://womenempowermentpakistan.com/wp-admin/paba5q52/
https://atnimanvilla.com/wp-content/073735/
https://yeuquynhnhai.com/upload/41830/
https://deepikarai.com/js/4bzs6/
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Extracted
netwire
tamerimia.ug:6975
vbchjfssdfcxbcver.ru:6975
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
AAAAA
-
lock_executable
false
-
mutex
CQbRXVuG
-
offline_keylogger
false
-
password
jhbkdcfgvdfgknl
-
registry_autorun
false
-
use_mutex
true
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Score10/10-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
UAC bypass
-
ModiLoader First Stage
-
Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
RevengeRat Executable
-
Blocklisted process makes network request
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Scripting
1