General
-
Target
Client.exe
-
Size
34KB
-
Sample
240819-a9drrayamm
-
MD5
de2ff0cf683f97d87c97a84a0bdeb49e
-
SHA1
52a3d2012d8dde1e131f4c8e060d193e2f1237cf
-
SHA256
62566a803d4f1d485a6df2a9fcd7af4861631e77785b973844e668dda51c74f0
-
SHA512
56c169cdf07c47ca5e0c51507c0c02b1d01a183c9536eb74eeb2e432cf954812a37a9af2974f0cc48cc5e2dadbab73c530e82e2048163c1c3389848b8e58da4e
-
SSDEEP
768:QpNkDJkjKB41eZuT0dm9joyZwPhtbPn9BX3qJKhSdN38:kNkDNB41eZw9jonR/9N3qJKhsh8
Malware Config
Extracted
https://github.com/NGROKC/CTC/raw/main/CTC64.dll
Targets
-
-
Target
Client.exe
-
Size
34KB
-
MD5
de2ff0cf683f97d87c97a84a0bdeb49e
-
SHA1
52a3d2012d8dde1e131f4c8e060d193e2f1237cf
-
SHA256
62566a803d4f1d485a6df2a9fcd7af4861631e77785b973844e668dda51c74f0
-
SHA512
56c169cdf07c47ca5e0c51507c0c02b1d01a183c9536eb74eeb2e432cf954812a37a9af2974f0cc48cc5e2dadbab73c530e82e2048163c1c3389848b8e58da4e
-
SSDEEP
768:QpNkDJkjKB41eZuT0dm9joyZwPhtbPn9BX3qJKhSdN38:kNkDNB41eZw9jonR/9N3qJKhsh8
Score10/10-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
r77
r77 is an open-source, userland rootkit.
-
r77 rootkit payload
Detects the payload of the r77 rootkit.
-
Credentials from Password Stores: Credentials from Web Browsers
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Event Triggered Execution: AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2AppInit DLLs
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1