General
-
Target
https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2021.09.7z
-
Sample
240524-rd2blsge4w
Malware Config
Extracted
gafgyt
205.185.121.251:606
46.243.187.18:23
194.87.138.146:999
209.126.73.248:839
Extracted
xtremerat
servidorods.ddns.net
耀:\Userservidorods.ddns.net
C:\Users\WanD7\Desktop\ARservidorods.ddns.net
junpio70.hopto.org
Extracted
darkcomet
Sazan
marbeyli.duckdns.org:1604
DC_MUTEX-D2KTVT9
-
InstallPath
MSDCSC\svchost.exe
-
gencode
iGJFx2jaJsy3
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Extracted
asyncrat
1.0.7
Default
14.17.115.109:8848
14.17.115.109:12356
14.17.115.109:55555
14.17.115.109:22222
erwe1r2w1r52e1
-
delay
1
-
install
true
-
install_file
flash.exe
-
install_folder
%AppData%
Extracted
darkcomet
PrivateEye
ratblackshades.no-ip.biz:1604
DC_MUTEX-ACC1R98
-
gencode
8GG5LVVGljSF
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
redline
mix23.09
185.215.113.15:6043
Extracted
redline
UTS
45.9.20.20:13441
Extracted
redline
paladin
188.124.36.242:25802
Extracted
redline
PUB
45.9.20.20:13441
Extracted
redline
mix21.09
185.215.113.15:6043
Targets
-
-
Target
https://samples.vx-underground.org/Samples/Bazaar%20Collection/Downloadable%20Releases/Bazaar.2021.09.7z
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Detect Neshta payload
-
Detect XtremeRAT payload
-
Detected Gafgyt variant
-
Gafgyt/Bashlite
IoT botnet with numerous variants first seen in 2014.
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Mirai
Mirai is a prevalent Linux malware infecting exposed network devices.
-
Modifies WinLogon for persistence
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
RuRAT
RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.
-
Sakula
Sakula is a remote access trojan with various capabilities.
-
Sakula payload
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Async RAT payload
-
Renames multiple (105) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies Installed Components in the registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Scheduled Task/Job
1