Overview

overview

666

Static

static

666

DoomRat.exe

windows10-1703-x64

10

Resubmissions

19-09-2024 16:35

240919-t3mwmaydma 10

19-09-2024 15:27

240919-svslgawara 666

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DoomRat.exe

  • Size

    12.1MB

  • Sample

    240919-svslgawara

  • MD5

    de44552631e89947e4654a39f41c18fc

  • SHA1

    b1370d875efcf7bbba3ec1a9cfbd2bb20ae23c6d

  • SHA256

    263b41f42d5b9e564bd527b80bf6dc499367af7f1c1b6436dc70fc072d5a5f4d

  • SHA512

    d876bd63a929791e49dd5119fcf488a7c89eb471a183c71b287fb621144f5ffc72c606f3a3dc250ed65649d3bf3b69427abc4c5fc5d03b86324386708ee77def

  • SSDEEP

    393216:vGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:SYQZ2YwUlJn1QtIm28IKzo

Score
666/10
berbewblackmooncobaltstrikeemotetgoziepoch3backdoorbankerisfbpyinstallertrojanupx

Malware Config

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

Extracted

Family

emotet

Botnet

Epoch3

C2

173.94.215.84:80

85.25.207.108:8080

178.128.14.92:8080

60.125.114.64:443

181.126.54.234:80

157.7.164.178:8081

95.216.205.155:8080

216.75.37.196:8080

179.62.238.49:80

71.57.180.213:80

172.96.190.154:8080

112.78.142.170:80

178.238.232.46:443

177.144.130.105:443

105.209.235.113:8080

46.105.131.68:8080

185.86.148.68:443

143.95.101.72:8080

75.127.14.170:8080

168.0.97.6:80
rsa_pubkey.plain

Extracted

Family

gozi

Targets

    • Target

      DoomRat.exe

    • Size

      12.1MB

    • MD5

      de44552631e89947e4654a39f41c18fc

    • SHA1

      b1370d875efcf7bbba3ec1a9cfbd2bb20ae23c6d

    • SHA256

      263b41f42d5b9e564bd527b80bf6dc499367af7f1c1b6436dc70fc072d5a5f4d

    • SHA512

      d876bd63a929791e49dd5119fcf488a7c89eb471a183c71b287fb621144f5ffc72c606f3a3dc250ed65649d3bf3b69427abc4c5fc5d03b86324386708ee77def

    • SSDEEP

      393216:vGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:SYQZ2YwUlJn1QtIm28IKzo

    Score
    10/10
    berbewblackmooncobaltstrikeemotetgoziepoch3backdoorbankerisfbtrojanupx

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detect Blackmoon payload

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Gozi

      Gozi is a well-known and widely distributed banking trojan.

      bankertrojangozi

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Legitimate hosting services abused for malware hosting/C2

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks