General
-
Target
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a.exe
-
Size
22.5MB
-
Sample
240719-1l86vs1ern
-
MD5
52867174362410d63215d78e708103ea
-
SHA1
7ae4e1048e4463a4201bdeaf224c5b6face681bf
-
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
-
SHA512
89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
-
SSDEEP
393216:HJLgf7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ4y5SDkFV:poBPQwxMR7pn5qUTB9xOFVWvJKJPkwd9
Malware Config
Extracted
Protocol: ftp- Host:
files.000webhost.com - Port:
21 - Username:
fcb-aws-host-4
Extracted
asyncrat
0.5.7B
Default
gfhhjgh.duckdns.org:8050
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_file
system32.exe
-
install_folder
%AppData%
Extracted
njrat
im523
mediaget
kazya1.hopto.org:1470
a797c6ca3f5e7aff8fa1149c47fe9466
-
reg_key
a797c6ca3f5e7aff8fa1149c47fe9466
-
splitter
|'|'|
Extracted
fickerstealer
80.87.192.115:80
Extracted
redline
@zhilsholi
yabynennet.xyz:81
-
auth_value
c2d0b7a2ede97b91495c99e75b4f27fb
Extracted
raccoon
1.8.3-hotfix
5781468cedb3a203003fdf1f12e72fe98d6f1c0f
-
url4cnc
http://194.180.174.53/brikitiki
http://91.219.236.18/brikitiki
http://194.180.174.41/brikitiki
http://91.219.236.148/brikitiki
https://t.me/brikitiki
Extracted
pony
http://londonpaerl.co.uk/yesup/gate.php
Extracted
oski
prepepe.ac.ug
Extracted
azorult
http://195.245.112.115/index.php
Targets
-
-
Target
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a.exe
-
Size
22.5MB
-
MD5
52867174362410d63215d78e708103ea
-
SHA1
7ae4e1048e4463a4201bdeaf224c5b6face681bf
-
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
-
SHA512
89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
-
SSDEEP
393216:HJLgf7BPkdKzrZciLxv8naSNtPr5rn57M84UTB9xO5/VWvJKJPkwdnfZ4y5SDkFV:poBPQwxMR7pn5qUTB9xOFVWvJKJPkwd9
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Blackmoon payload
-
Detect PurpleFox Rootkit
Detect PurpleFox Rootkit.
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Gh0st RAT payload
-
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
-
HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Raccoon Stealer V1 payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
UAC bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Async RAT payload
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
XMRig Miner payload
-
Drops file in Drivers directory
-
Modifies Windows Firewall
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook accounts
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
4Scripting
1Virtualization/Sandbox Evasion
1