Overview

overview

10

Static

static

10

DoomRat.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DoomRat.exe

  • Size

    12.1MB

  • Sample

    240920-v11kdayaqd

  • MD5

    b6f21ecc31778ba2362958d1e5091759

  • SHA1

    613dbf4e682fe14b8617908113fc5c7ba05de16a

  • SHA256

    94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f

  • SHA512

    d5d842d520fa1a5a768b62e3d4945f7aa49aa3079c78843cc70eb2e87515dc228cd8bda2ecbe70d1cdb8a94630687cefe587ee6dfac93685cd9e17473040ac4d

  • SSDEEP

    393216:HGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:KYQZ2YwUlJn1QtIm28IKzo

Score
10/10
berbewblackmoondoomratemotetmodiloaderredlinesectopratxworm@tankist1007epoch2 antivm apt backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter fakeav ics infostealer keylogger loader maldoc miner overlay persistence ransomware rat rootkit spam spreader spyware stealer trojan wiper wormadwarebackdoorbankerdiscoveryexecutioninfostealerpyinstallerrattrojanupx

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    feresto.hop.ru
  • Port:
    21
  • Username:
    w350955
  • Password:
    ubz0m0bv

Extracted

Family

berbew

C2

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

Extracted

Family

emotet

Botnet

Epoch2

C2

149.202.197.94:8080

139.162.75.91:8080

37.187.2.199:443

165.227.156.155:443

90.77.228.193:8090

67.225.179.64:8080

87.106.139.101:8080

191.92.209.110:7080

83.136.245.190:8080

65.23.154.17:8080

190.211.207.11:443

115.78.95.230:443

190.147.215.53:22

62.75.187.192:8080

173.249.47.77:8080

104.131.44.150:8080

190.145.67.134:8090

138.201.140.110:8080

103.39.131.88:80

80.11.163.139:21
rsa_pubkey.plain

Extracted

Family

redline

Botnet

@tankist1007

C2

92.119.113.189:21746

Extracted

Family

emotet

Botnet

Epoch2

C2

38.18.235.242:80

5.196.108.189:8080

121.124.124.40:7080

104.236.246.93:8080

113.61.66.94:80

120.150.60.189:80

91.211.88.52:7080

47.144.21.12:443

108.46.29.236:80

139.162.108.71:8080

134.209.36.254:8080

139.59.60.244:8080

66.65.136.14:80

76.175.162.101:80

174.106.122.139:80

95.213.236.64:8080

174.45.13.118:80

50.35.17.13:80

209.141.54.221:8080

87.106.139.101:8080
rsa_pubkey.plain

Extracted

Family

xworm

C2

127.0.0.1:39176

20.ip.gl.ply.gg:39176
Attributes
  • Install_directory

    %AppData%

  • install_file

    Explorer.exe

Targets

    • Target

      DoomRat.exe

    • Size

      12.1MB

    • MD5

      b6f21ecc31778ba2362958d1e5091759

    • SHA1

      613dbf4e682fe14b8617908113fc5c7ba05de16a

    • SHA256

      94bd1fa65b9ee3fe4be830326ebcd918609ee260797391d1af8aa4ac470cce3f

    • SHA512

      d5d842d520fa1a5a768b62e3d4945f7aa49aa3079c78843cc70eb2e87515dc228cd8bda2ecbe70d1cdb8a94630687cefe587ee6dfac93685cd9e17473040ac4d

    • SSDEEP

      393216:HGV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:KYQZ2YwUlJn1QtIm28IKzo

    Score
    10/10
    berbewblackmoonemotetmodiloaderredlinesectopratxworm@tankist1007epoch2backdoorbankerdiscoveryexecutioninfostealerrattrojanupx

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Detect Xworm Payload

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • ModiLoader Second Stage

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks