Overview

overview

10

Static

static

3

RatAlerts.exe

windows11-21h2-x64

10

magic.pyc

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RatAlerts.exe

  • Size

    36.7MB

  • Sample

    240919-qa3jtszgqp

  • MD5

    f921e16ca321bbe2e490f036f8b99c74

  • SHA1

    6e25638b340ba77f3e467bbbdc27c48209e193af

  • SHA256

    6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc

  • SHA512

    04492839ccaeeddc9090b7f6c6458294540bb3e2589108a3c459ae87a11c6cabe6548d80805f37b8bd43616d3645afdabe8b95b9f37c85c06f5c87b137a10274

  • SSDEEP

    786432:pjE3Qtst8rW8WZ2YwUlJAdQ/2j6+s7LWB75zuXVgM3MGYS2fAMJLjvZ:a3QtIoWlZ2mlq62qHWB75ilZMGJ24MRN

Score
10/10
ardamaxberbewcobaltstrikedarkcometdcratformbookgh0stratmetasploitmydoomneshtaredlinesnakekeyloggerumbralwarzoneratxmrigxwormbackdoordefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerminerpersistencepyinstallerratspywarestealertrojanupxworm

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

metasploit

Version

encoder/shikata_ga_nai

Extracted

Family

metasploit

Version

metasploit_stager

C2

38.207.133.152:15765

Targets

    • Target

      RatAlerts.exe

    • Size

      36.7MB

    • MD5

      f921e16ca321bbe2e490f036f8b99c74

    • SHA1

      6e25638b340ba77f3e467bbbdc27c48209e193af

    • SHA256

      6b1700a3961f46120afdf3c5e027556682badcae0015503d533c9f808f214ddc

    • SHA512

      04492839ccaeeddc9090b7f6c6458294540bb3e2589108a3c459ae87a11c6cabe6548d80805f37b8bd43616d3645afdabe8b95b9f37c85c06f5c87b137a10274

    • SSDEEP

      786432:pjE3Qtst8rW8WZ2YwUlJAdQ/2j6+s7LWB75zuXVgM3MGYS2fAMJLjvZ:a3QtIoWlZ2mlq62qHWB75ilZMGJ24MRN

    Score
    10/10
    ardamaxberbewcobaltstrikedarkcometdcratformbookgh0stratmetasploitmydoomneshtaredlinesnakekeyloggerumbralwarzoneratxmrigxwormbackdoordefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerminerpersistencepyinstallerratspywarestealertrojanupxworm

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Detect Neshta payload

    • Detect Umbral payload

    • Detect Xworm Payload

    • Detects MyDoom family

    • Disables service(s)

      evasionexecution

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • MyDoom

      MyDoom is a Worm that is written in C++.

      wormmydoom

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Formbook payload

      rat

    • Warzone RAT payload

      rat

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    behavioral1

    • Target

      magic.pyc

    • Size

      6KB

    • MD5

      b2f3b8c51fc212840a568109668723fb

    • SHA1

      43011f5d1c9d0d7171ee9bc02a544a0e908fa3cb

    • SHA256

      944ef230c959dd122599f0c355c8fd319bbdb2dc95a0d9ea8e6012918a04af03

    • SHA512

      4414ba510bded7a55898ca3f74b124c88053b7f100807deb64e7d7a476c085ce168f539fad240d297a7a1aa536c12b81175021368061c0007602131b9baef63d

    • SSDEEP

      96:+G1i96z2ziW5SSUKBccccc3cc2yY1FyowsrnSzjWfagsfaeKjJZgbhWYdFlj+8:EbDVvccccc3cc2t1rEGavfancb/bj+8

    Score
    3/10
    behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

1
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks