Resubmissions
23-07-2024 17:59
240723-wk4grs1hrl 1023-07-2024 17:56
240723-wjg75svcla 1023-07-2024 17:55
240723-whgvzsvcjg 823-07-2024 17:52
240723-wf3pns1hll 823-07-2024 17:45
240723-wbtafa1gpr 1023-07-2024 17:42
240723-v97eaavane 1023-07-2024 17:40
240723-v8625a1fpm 823-07-2024 17:39
240723-v8bafs1fll 823-07-2024 17:36
240723-v62dvs1eqq 10General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
-
Sample
240723-wk4grs1hrl
Malware Config
Extracted
metasploit
windows/download_exec
http://149.129.72.37:23456/SNpK
- headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)
Extracted
azorult
http://boglogov.site/index.php
Targets
-
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass
-
Windows security bypass
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit
-
Renames multiple (172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Sets file to hidden
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Modifies file permissions
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Users
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix ATT&CK v13
Execution
Windows Management Instrumentation
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Pre-OS Boot
1Bootkit
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
3Windows Service
3Abuse Elevation Control Mechanism
1Bypass User Account Control
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Modify Registry
8Impair Defenses
5Disable or Modify Tools
3Disable or Modify System Firewall
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Indicator Removal
2File Deletion
2Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1File and Directory Permissions Modification
1Pre-OS Boot
1Bootkit
1Direct Volume Access
1