General

Malware Config

Extracted

Family

gafgyt

C2

205.185.121.251:606

46.243.187.18:23

194.87.138.146:999

209.126.73.248:839

Extracted

Family

xtremerat

C2

servidorods.ddns.net

耀œ:\Userservidorods.ddns.net

C:\Users\WanD7\Desktop\ARservidorods.ddns.net

junpio70.hopto.org

Extracted

Family

darkcomet

Botnet

Sazan

C2

marbeyli.duckdns.org:1604

Mutex

DC_MUTEX-D2KTVT9

Attributes
  • InstallPath

    MSDCSC\svchost.exe

  • gencode

    iGJFx2jaJsy3

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

14.17.115.109:8848

14.17.115.109:12356

14.17.115.109:55555

14.17.115.109:22222

Mutex

erwe1r2w1r52e1

Attributes
  • delay

    1

  • install

    true

  • install_file

    flash.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

PrivateEye

C2

ratblackshades.no-ip.biz:1604

Mutex

DC_MUTEX-ACC1R98

Attributes
  • gencode

    8GG5LVVGljSF

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

redline

Botnet

mix23.09

C2

185.215.113.15:6043

Extracted

Family

redline

Botnet

UTS

C2

45.9.20.20:13441

Extracted

Family

redline

Botnet

paladin

C2

188.124.36.242:25802

Extracted

Family

redline

Botnet

PUB

C2

45.9.20.20:13441

Extracted

Family

redline

Botnet

mix21.09

C2

185.215.113.15:6043

Targets

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Detect Neshta payload

    • Detect XtremeRAT payload

    • Detected Gafgyt variant

    • Gafgyt/Bashlite

      IoT botnet with numerous variants first seen in 2014.

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

    • Mirai

      Mirai is a prevalent Linux malware infecting exposed network devices.

    • Modifies WinLogon for persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • RuRAT

      RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.

    • Sakula

      Sakula is a remote access trojan with various capabilities.

    • Sakula payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Async RAT payload

    • Renames multiple (105) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • Modifies Installed Components in the registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Blocklisted process makes network request

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks