General
-
Target
RequestHunter v2.2.rar
-
Size
54.2MB
-
Sample
240522-tzpwtahb91
-
MD5
cbba99ddf40e1afee732e608c3c703d3
-
SHA1
e929df7d1ca45db0808bfec6766fda2a08ba5685
-
SHA256
4f89ae09799ff6f723b7894a33d5c013f6a1cfa733ad9a2ed5dcd1ad25413923
-
SHA512
64f25ea7c4408dc4317a4663e07852a5b48eebb08bf3cc0caed20a39016c51e26454a77bf6d65d13ba4bd6ff2c2946cd9c1318ff297c302eade7e6ed3c17788a
-
SSDEEP
786432:2UQ+UUJpc+F04sioI66DWtcw+5TYz5g8iIduuakyGkYdE5nRgRl0UBPicVETS7k/:HPJXNoBHiT5TYzPdikTkYFRlRhVETGI
Malware Config
Targets
-
-
Target
RequestHunter v2.2/RequestHunter.exe
-
Size
54.7MB
-
MD5
53bb2cf2e8c1e8806f25b561535db2db
-
SHA1
1f4291c281caf522fbb893d37158cf4081b3e838
-
SHA256
f7984e82b19075915ca8f29a41e513c8f1eb8f6e6a21871bd0cea33f3613a840
-
SHA512
c55ff92b60507b9a3ffbf4b0780f0c4c7c824a8b55aa1fb6005af685f840656d399c507114c137692f4003cea914319bdf4e7c3533c7d16cb76b1bbc408daec2
-
SSDEEP
1572864:jNHFnYOLV2XNx6QTDpsZCaOA+dVoaTjrMxyEOR/s:jznjyZmZzOA+Pv6AR/
Score10/10-
MilleniumRat
MilleniumRat is a remote access trojan written in C#.
-
Suspicious use of NtCreateProcessExOtherParentProcess
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Contacts a large (1501) amount of remote hosts
This may indicate a network scan to discover remotely running services.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1