Overview
overview
10Static
static
100490e8427a...c7.elf
ubuntu-18.04-amd64
0490e8427a...c7.elf
debian-9-armhf
0490e8427a...c7.elf
debian-9-mips
0490e8427a...c7.elf
debian-9-mipsel
068428a4ac...26.exe
windows7-x64
1068428a4ac...26.exe
windows10-2004-x64
1087421ac22...94.elf
debian-9-mipsel
100c4791a6b4...ea.elf
debian-9-armhf
100d9bd2ae2e...ea.exe
windows7-x64
100d9bd2ae2e...ea.exe
windows10-2004-x64
70fa00d4f4f...70.dll
windows7-x64
10fa00d4f4f...70.dll
windows10-2004-x64
110de02fec8...d1.bat
windows7-x64
110de02fec8...d1.bat
windows10-2004-x64
81157191701...32.exe
windows7-x64
71157191701...32.exe
windows10-2004-x64
1016e81343ec...a5.exe
windows7-x64
716e81343ec...a5.exe
windows10-2004-x64
717691f0962...b7.elf
debian-9-mipsel
717c24104e8...12.exe
windows7-x64
317c24104e8...12.exe
windows10-2004-x64
3$PLUGINSDI...ol.dll
windows7-x64
3$PLUGINSDI...ol.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3CommandPost.exe
windows7-x64
3CommandPost.exe
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
31816cd993d...28.exe
windows7-x64
7Resubmissions
22-04-2024 22:02
240422-1xtwbagh68 1022-04-2024 19:25
240422-x42b7afa68 1019-04-2024 03:02
240419-djmthsfh8w 10Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-04-2024 03:02
Static task
static1
Behavioral task
behavioral1
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
ubuntu1804-amd64-20240226-en
Behavioral task
behavioral2
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral3
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
debian9-mipsbe-20240226-en
Behavioral task
behavioral4
Sample
0490e8427ac66951389e11dbd990c19cb1ee43102c33935b12db6a4eca7717c7.elf
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral5
Sample
068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
068428a4acb65807251b3b4c0aee2101519fdaebf6db5376863da5add3471f26.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
087421ac222e935579dfd3b7a5120451fd9d9a663d3d1872c04b6154b238c894.elf
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral8
Sample
0c4791a6b47491a0c43cea0ba54357e391a3c8b23aa28025489bbe43bb9ea6ea.elf
Resource
debian9-armhf-20240226-en
Behavioral task
behavioral9
Sample
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
0d9bd2ae2e4b023047b6c08684e9e5daae76e31cced4c3fdf4640136245f7eea.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral11
Sample
0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
0fa00d4f4f8e8449883aef7f0459a0fb754d57d55af2b41f5e445f867000fa70.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral13
Sample
10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
Resource
win7-20240319-en
Behavioral task
behavioral14
Sample
10de02fec8ac3edbf1398e6dd43ddec95a89e0499e1e865a7d9e5289fb2b31d1.bat
Resource
win10v2004-20240412-en
Behavioral task
behavioral15
Sample
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral17
Sample
16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5.exe
Resource
win7-20231129-en
Behavioral task
behavioral18
Sample
16e81343ecea6082d76bf1ab26818c3bf56929c92468fae8837c6384b62d05a5.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
17691f0962027e7110f727ae997f8af5885dd783674d1db023d467ec478515b7.elf
Resource
debian9-mipsel-20240226-en
Behavioral task
behavioral20
Sample
17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
17c24104e8e5350eeb7e2a162dec3f6a4d6c70f3f0849e6346fd383d998dcc12.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win7-20240221-en
Behavioral task
behavioral23
Sample
$PLUGINSDIR/AccessControl.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral24
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240319-en
Behavioral task
behavioral25
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral26
Sample
CommandPost.exe
Resource
win7-20240221-en
Behavioral task
behavioral27
Sample
CommandPost.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral28
Sample
Uninstall.exe
Resource
win7-20240221-en
Behavioral task
behavioral29
Sample
Uninstall.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral30
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240221-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral32
Sample
1816cd993ddda970b791b090e6ecb501ef923bdcc0cc5f4a99e18dcdb7093228.exe
Resource
win7-20231129-en
General
-
Target
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe
-
Size
14.4MB
-
MD5
ecaa6f88c3b6594914a8ffde04fd5d84
-
SHA1
885e4370299d369f7285ba5f2c544cbcd70a5fd0
-
SHA256
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432
-
SHA512
94712c9ceddc1e2abd7ec19dc39bf2cbea54d3430f66887e2e0861c2cdb4c4ee24c39d3140c9374e826049516b814c3fcfcf4c49402bc5c2335d87bc0ee67f83
-
SSDEEP
393216:hp8QGQCKH9iqYCfy8tW5MrYR0aioa4CMRmrrCZRBkyQzy:v8QGrK5GXR9ioaJMRmrrdysy
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
GUBootService.exepid process 2900 GUBootService.exe -
Loads dropped DLL 9 IoCs
Processes:
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exemore.comFahu.au3WerFault.exepid process 2960 11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe 2960 11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe 1428 more.com 1936 Fahu.au3 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe 1084 WerFault.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GUBootService.exedescription pid process target process PID 2900 set thread context of 1428 2900 GUBootService.exe more.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1084 1936 WerFault.exe Fahu.au3 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
GUBootService.exemore.compid process 2900 GUBootService.exe 2900 GUBootService.exe 1428 more.com 1428 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
GUBootService.exemore.compid process 2900 GUBootService.exe 1428 more.com -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
GUBootService.exepid process 2900 GUBootService.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exeGUBootService.exemore.comFahu.au3description pid process target process PID 2960 wrote to memory of 2900 2960 11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe GUBootService.exe PID 2960 wrote to memory of 2900 2960 11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe GUBootService.exe PID 2960 wrote to memory of 2900 2960 11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe GUBootService.exe PID 2960 wrote to memory of 2900 2960 11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe GUBootService.exe PID 2900 wrote to memory of 1428 2900 GUBootService.exe more.com PID 2900 wrote to memory of 1428 2900 GUBootService.exe more.com PID 2900 wrote to memory of 1428 2900 GUBootService.exe more.com PID 2900 wrote to memory of 1428 2900 GUBootService.exe more.com PID 2900 wrote to memory of 1428 2900 GUBootService.exe more.com PID 1428 wrote to memory of 1936 1428 more.com Fahu.au3 PID 1428 wrote to memory of 1936 1428 more.com Fahu.au3 PID 1428 wrote to memory of 1936 1428 more.com Fahu.au3 PID 1428 wrote to memory of 1936 1428 more.com Fahu.au3 PID 1428 wrote to memory of 1936 1428 more.com Fahu.au3 PID 1936 wrote to memory of 1084 1936 Fahu.au3 WerFault.exe PID 1936 wrote to memory of 1084 1936 Fahu.au3 WerFault.exe PID 1936 wrote to memory of 1084 1936 Fahu.au3 WerFault.exe PID 1936 wrote to memory of 1084 1936 Fahu.au3 WerFault.exe PID 1428 wrote to memory of 1936 1428 more.com Fahu.au3
Processes
-
C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe"C:\Users\Admin\AppData\Local\Temp\11571917015adbf3b5196509e1082c8d415f011cce88bd8b16e9d9c5a39ac432.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\AppData\Local\Temp\GUBootService.exe"C:\Users\Admin\AppData\Local\Temp\GUBootService.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Users\Admin\AppData\Local\Temp\Fahu.au3C:\Users\Admin\AppData\Local\Temp\Fahu.au34⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 2525⤵
- Loads dropped DLL
- Program crash
PID:1084
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5d2235aeb97c1be6fbdd13517579bcbf9
SHA1335abcda67ceab10c96bf4855642e031d65aa282
SHA256fa699bcb14ae008a91105ab5ba25744e1f16420b95c628ce21329b285cee511a
SHA512e4fcedf30de47a134d77ebd245c1e4036c8cdffdea84a44dad982e5c62346fc8ff304266e8b62d190159c5c6619d1bf5dc1ff8d70e73f78d56015d6f661c2041
-
Filesize
1.8MB
MD54f0b38d21f324e0d6aad2f08e6ffc9f0
SHA1fa529c21b07dd81f03dd29aaf50bbbc91bdf6942
SHA256b0dd13baf1f2713ea4f6cb43ff4b00aa7f554de96c3681db33e072ad8ad0761b
SHA51203e92f0686ab04a84863c0124b786c8e41407a0f4f40a2396809fc259245ee469b62c6e3dbdf3d40fb0448820f7806a91f7b86b13641b4d4390da9318b2b0c81
-
Filesize
925KB
MD50162a97ed477353bc35776a7addffd5c
SHA110db8fe20bbce0f10517c510ec73532cf6feb227
SHA25615600ccdef5a64b40d206d89234a51be1e11bd878dcefc5986590bcf40d9d571
SHA5129638cab1aabe78c22a3d3528a391544f697d792640d831516b63fa52c393ee96bb588223e70163d059208cc5a14481c5ff7ef6ba9ac572322798a823d67f01f5
-
Filesize
11.5MB
MD54a053e8f03eba1dd6fcd28aeea8dc05f
SHA1080d5f4b1c1e892658672aded073b70dfd14f7de
SHA2566a5cc7a1803b002e91129d9317fa8f2d79fc07775ded7163c38d41569f8068ed
SHA51232e3cc6fbb5db6b38c5aa18b3bb077c9e03e218d3698d6a30a6e62bfcba2692d4b625b286df0604637a5a7488d8215406c46f337f8ca908081b300a58945de3d