General

  • Target

    hel.txt

  • Size

    455B

  • Sample

    240925-rkbdrstama

  • MD5

    f31e3269ee1cb4c18a1eea1166e8938a

  • SHA1

    ec636628ee8b40c7df406a32ce1821361045594f

  • SHA256

    e6a7cd09db490104366798d6ea71a3f1f8df01d59394e36ef6e1a8ecb8facf1d

  • SHA512

    3ff8dfd9b8be1e5a13579169cbd197f57de8475492caac330b893200b8f5ac2c799e8abb0d35d1807e3999ab7d363dfbff5082d78f04d5bfdb8ad04fb9405248

Malware Config

Targets

    • Target

      hel.txt

    • Size

      455B

    • MD5

      f31e3269ee1cb4c18a1eea1166e8938a

    • SHA1

      ec636628ee8b40c7df406a32ce1821361045594f

    • SHA256

      e6a7cd09db490104366798d6ea71a3f1f8df01d59394e36ef6e1a8ecb8facf1d

    • SHA512

      3ff8dfd9b8be1e5a13579169cbd197f57de8475492caac330b893200b8f5ac2c799e8abb0d35d1807e3999ab7d363dfbff5082d78f04d5bfdb8ad04fb9405248

    • UAC bypass

    • Disables Task Manager via registry modification

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies WinLogon

    • Sets desktop wallpaper using registry

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks