Overview

overview

666

Static

static

666

DoomRat.exe

windows10-1703-x64

10

Resubmissions

21-09-2024 17:07

240921-vnbeqatelr 7

21-09-2024 11:57

240921-n4mz5a1bqd 666

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DoomRat.exe

  • Size

    12.1MB

  • Sample

    240921-n4mz5a1bqd

  • MD5

    9b13e58ef5dcfa319ff36e8dc040c248

  • SHA1

    d97589619b4ba09b458888db1e93d08ff9a4d2e4

  • SHA256

    513be2fa1186d385753fb7132ff2b786bf7cc8651b7d8c12dc242e3857eee143

  • SHA512

    3a60282fdba5c70e0825c81b705c3d13721241605165ae28bd4fa59bdbbe2d6e4c666ce5d1a4475fc764d355eca9a6af607180bc46c7a7b938cf514e6944c9a0

  • SSDEEP

    393216:4GV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:HYQZ2YwUlJn1QtIm28IKzo

Score
666/10
berbewblackmoondarkcometemotetfloxifmetasploitnetsupportxmrigepoch2epoch3backdoorbankerdefense_evasiondiscoveryevasionexecutionminerpersistencepyinstallerrattrojanupx

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

http://asboywnrihlvdsbpigftigzyb20gyw5vbnltb3vz.ru/cmfwe2
exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.controlfire.com.mx
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    0a4XlE=4t8mz

Extracted

Family

metasploit

Version

windows/reverse_http

C2

http://89.197.154.116:7810/dDmZLRctSF-O2Y_Y6DNv7gGR1g00Lo-DSbAP10Qhyakl6e3RBIKZx4eGRNsN-6iE5mPtUWD3pQadMjciytVqzPL

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Extracted

Family

emotet

Botnet

Epoch3

C2

190.192.39.136:80

5.189.168.53:8080

162.241.41.111:7080

190.85.46.52:7080

190.190.15.20:80

181.95.133.104:80

41.212.89.128:80

115.176.16.221:80

143.95.101.72:8080

75.127.14.170:8080

116.202.10.123:8080

74.208.173.91:8080

103.93.220.182:80

50.116.78.109:8080

67.121.104.51:20

180.26.62.115:443

139.59.12.63:8080

76.18.16.210:80

113.161.148.81:80

5.79.70.250:8080
rsa_pubkey.plain

Extracted

Family

emotet

Botnet

Epoch2

C2

38.18.235.242:80

5.196.108.189:8080

121.124.124.40:7080

104.236.246.93:8080

113.61.66.94:80

120.150.60.189:80

91.211.88.52:7080

47.144.21.12:443

108.46.29.236:80

139.162.108.71:8080

134.209.36.254:8080

139.59.60.244:8080

66.65.136.14:80

76.175.162.101:80

174.106.122.139:80

95.213.236.64:8080

174.45.13.118:80

50.35.17.13:80

209.141.54.221:8080

87.106.139.101:8080
rsa_pubkey.plain

Targets

    • Target

      DoomRat.exe

    • Size

      12.1MB

    • MD5

      9b13e58ef5dcfa319ff36e8dc040c248

    • SHA1

      d97589619b4ba09b458888db1e93d08ff9a4d2e4

    • SHA256

      513be2fa1186d385753fb7132ff2b786bf7cc8651b7d8c12dc242e3857eee143

    • SHA512

      3a60282fdba5c70e0825c81b705c3d13721241605165ae28bd4fa59bdbbe2d6e4c666ce5d1a4475fc764d355eca9a6af607180bc46c7a7b938cf514e6944c9a0

    • SSDEEP

      393216:4GV2CSQhZ2YsHFUK2Jn1+TtIiFQS2NXNsI8VbTToP:HYQZ2YwUlJn1QtIm28IKzo

    Score
    10/10
    berbewblackmoondarkcometemotetfloxifmetasploitnetsupportxmrigepoch2epoch3backdoorbankerdefense_evasiondiscoveryevasionexecutionminerpersistencepyinstallerrattrojanupx

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Detect Blackmoon payload

    • Disables service(s)

      evasionexecution

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

      trojanbankeremotet

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies visibility of file extensions in Explorer

      evasion

    • Modifies visiblity of hidden/system files in Explorer

      evasion

    • NetSupport

      NetSupport is a remote access tool sold as a legitimate system administration software.

      ratnetsupport

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Detects Floxif payload

      backdoor

    • Emotet payload

      Detects Emotet payload in memory.

      trojanbanker

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Identifies Wine through registry keys

      Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

      evasion

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

3
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

4
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

4
T1564

Hidden Files and Directories

4
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

2
T1562.004

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

9
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks