Extracted

Extracted

Extracted

• • Target

    DoomRat.exe

  • Size

    12.1MB

  • MD5

    b6f21ecc31778ba2362958d1e5091759

  • SHA1

    613dbf4e682fe14b8617908113fc5c7ba05de16a

  • SHA256

    94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f

  • SHA512

    d5d842d520fa1a5a768b62e3d4945f7aa49aa3079c78843cc70eb2e87515dc228cd8bda2ecbe70d1cdb8a94630687cefe587ee6dfac93685cd9e17473040ac4d

  • SSDEEP

    393216:HGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:KYQZ2YwUlJn1QtIm28IKzo

  Score

  10^/10

  berbewdarkcometgh0stratmodiloadermydoomredlinesalityxmriglivetrafficbackdoordefense_evasiondiscoveryevasionexecutioninfostealerminerpersistenceprivilege_escalationrattrojanupxworm

  • Adds autorun key to be loaded by Explorer.exe on startup

    persistence

  • Berbew

    Berbew is a backdoor written in C++.

    backdoorberbew

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    trojanratdarkcomet

  • Detects MyDoom family

  • Gh0st RAT payload

  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat

  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader

  • Modifies WinLogon for persistence

    persistence

  • Modifies firewall policy service

    evasion

  • Modifies visibility of file extensions in Explorer

    evasion

  • Modifies visiblity of hidden/system files in Explorer

    evasion

  • MyDoom

    MyDoom is a Worm that is written in C++.

    wormmydoom

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline

  • RedLine payload

  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • ModiLoader Second Stage

  • Adds policy Run key to start application

    persistence

  • Boot or Logon Autostart Execution: Active Setup

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence

  • Command and Scripting Interpreter: PowerShell

    Powershell Invoke Web Request.

    execution

  • Disables Task Manager via registry modification

    evasion

  • Modifies Windows Firewall

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Impair Defenses: Safe Mode Boot

    defense_evasion

  • Loads dropped DLL

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Checks whether UAC is enabled

    evasiontrojan

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • Program crash

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2