Overview

overview

10

Static

static

3

advbattoex...er.exe

windows11-21h2-x64

10

Resubmissions

26-04-2024 19:20

240426-x2g6jaad64 7

26-04-2024 19:17

240426-xzst9aad24 7

26-04-2024 19:15

240426-xydc6sac75 7

26-04-2024 18:18

240426-wxts4aac21 7

26-04-2024 17:46

240426-wcm5tahf6t 7

18-04-2024 16:20

240418-ts28kaae71 10

17-04-2024 20:42

240417-zhhn3aeh9z 7

17-04-2024 19:29

240417-x7eycsdb41 7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    advbattoexeconverter.exe

  • Size

    804KB

  • Sample

    240418-ts28kaae71

  • MD5

    83bb1b476c7143552853a2cf983c1142

  • SHA1

    8ff8ed5c533d70a7d933ec45264dd700145acd8c

  • SHA256

    af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

  • SHA512

    6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a

  • SSDEEP

    24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

Score
10/10
azorultcrimsonratmodiloadernetwirenjratrevengeratrmswannacrywarzoneratguestbotnetdiscoveryevasioninfostealermacromacro_on_actionpersistenceransomwareratrezer0stealertrojanupxworm

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    109.248.203.81
  • Port:
    21
  • Username:
    alex
  • Password:
    easypassword

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

netwire

C2

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    AAAAA

  • lock_executable

    false

  • mutex

    CQbRXVuG

  • offline_keylogger

    false

  • password

    jhbkdcfgvdfgknl

  • registry_autorun

    false

  • use_mutex

    true

Extracted

Family

crimsonrat

C2

185.136.161.124

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Targets

    • Target

      advbattoexeconverter.exe

    • Size

      804KB

    • MD5

      83bb1b476c7143552853a2cf983c1142

    • SHA1

      8ff8ed5c533d70a7d933ec45264dd700145acd8c

    • SHA256

      af09248cb756488850f9e6f9a7a00149005bf47a9b2087b792ff6bd937297ffb

    • SHA512

      6916c6c5addf43f56b9de217e1b640ab6f4d7e5a73cd33a7189f66c9b7f0b954c5aa635f92fcef5692ca0ca0c8767e97a678e90d545079b5e6d421555f5b761a

    • SSDEEP

      24576:0xFkFHdJ8aT/iziXH6FGnYhqQuimKC6Qpor:0IdJ1KiBYhsl+r

    Score
    10/10
    azorultcrimsonratmodiloadernetwirenjratrevengeratrmswannacrywarzoneratguestbotnetdiscoveryevasioninfostealermacromacro_on_actionpersistenceransomwareratrezer0stealertrojanupxworm

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modifies WinLogon for persistence

      persistence

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RMS

      Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

      trojanratrms

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • UAC bypass

      evasiontrojan

    • Wannacry

      WannaCry is a ransomware cryptoworm.

      ransomwarewormwannacry

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Windows security bypass

      evasiontrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Grants admin privileges

      Uses net.exe to modify the user's privileges.

    • ModiLoader First Stage

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • RevengeRat Executable

      stealer

    • Warzone RAT payload

      rat

    • Blocks application from running via registry modification

      Adds application to list of disallowed applications.

      evasion

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

      macromacro_on_action

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Stops running service(s)

      evasion

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Modifies file permissions

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Account Manipulation

1
T1098

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

9
T1112

Impair Defenses

5
T1562

Disable or Modify Tools

3
T1562.001

Disable or Modify System Firewall

1
T1562.004

Hide Artifacts

3
T1564

Hidden Files and Directories

3
T1564.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Indicator Removal

1
T1070

File Deletion

1
T1070.004

File and Directory Permissions Modification

1
T1222

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

5
T1082

Query Registry

2
T1012

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Inhibit System Recovery

1
T1490

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks