Resubmissions

19-09-2024 16:35

240919-t3mwmaydma 10

19-09-2024 15:27

240919-svslgawara 666

General

  • Target

    DoomRat.exe

  • Size

    12.1MB

  • Sample

    240919-t3mwmaydma

  • MD5

    de44552631e89947e4654a39f41c18fc

  • SHA1

    b1370d875efcf7bbba3ec1a9cfbd2bb20ae23c6d

  • SHA256

    263b41f42d5b9e564bd527b80bf6dc499367af7f1c1b6436dc70fc072d5a5f4d

  • SHA512

    d876bd63a929791e49dd5119fcf488a7c89eb471a183c71b287fb621144f5ffc72c606f3a3dc250ed65649d3bf3b69427abc4c5fc5d03b86324386708ee77def

  • SSDEEP

    393216:vGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:SYQZ2YwUlJn1QtIm28IKzo

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Targets

    • Target

      DoomRat.exe

    • Size

      12.1MB

    • MD5

      de44552631e89947e4654a39f41c18fc

    • SHA1

      b1370d875efcf7bbba3ec1a9cfbd2bb20ae23c6d

    • SHA256

      263b41f42d5b9e564bd527b80bf6dc499367af7f1c1b6436dc70fc072d5a5f4d

    • SHA512

      d876bd63a929791e49dd5119fcf488a7c89eb471a183c71b287fb621144f5ffc72c606f3a3dc250ed65649d3bf3b69427abc4c5fc5d03b86324386708ee77def

    • SSDEEP

      393216:vGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:SYQZ2YwUlJn1QtIm28IKzo

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • Berbew

      Berbew is a backdoor written in C++.

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.