Malware Analysis Report

2024-11-13 18:11

Sample ID 240927-v2569asfrk
Target DoomRat.exe
SHA256 5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0
Tags
pyinstaller adware antivm apt upx backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter doomrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0

Threat Level: Known bad

The file DoomRat.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller adware antivm apt upx backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter doomrat

DoomRat

Doomrat family

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-09-27 17:30

Signatures

DoomRat

adware antivm apt upx backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter
Description Indicator Process Target
N/A N/A N/A N/A

Doomrat family

doomrat

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 17:30

Reported

2024-09-27 17:30

Platform

win10v2004-20240802-en

Max time kernel

1s

Max time network

2s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DoomRat.exe"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4588 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\DoomRat.exe C:\Users\Admin\AppData\Local\Temp\DoomRat.exe
PID 4588 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\DoomRat.exe C:\Users\Admin\AppData\Local\Temp\DoomRat.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DoomRat.exe

"C:\Users\Admin\AppData\Local\Temp\DoomRat.exe"

C:\Users\Admin\AppData\Local\Temp\DoomRat.exe

"C:\Users\Admin\AppData\Local\Temp\DoomRat.exe"

Network

Files

C:\Users\Admin\AppData\Local\Temp\_MEI45882\ucrtbase.dll

MD5 a9f5b06fae677c9eb5be8b37d5fb1cb9
SHA1 5c37b880a1479445dd583f85c58a8790584f595d
SHA256 4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52
SHA512 5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

C:\Users\Admin\AppData\Local\Temp\_MEI45882\python312.dll

MD5 11be2fa8380505b985c199423c7a571f
SHA1 c0aaa1e11d848e219d81c0a14cb0557f7a2b77c8
SHA256 24e5aa342d36e5b8a2e8daeb4bd1ee75213c2e4c5eb2a841314d85563a78416f
SHA512 0917368f7d91551c233c699bebc30c1aba67227d53cc78384b424753446967f15026a19865314580615ec1d519a9deb233f3d6bccee4c8168c1c2e6d55195f27

C:\Users\Admin\AppData\Local\Temp\_MEI45882\python312.dll

MD5 52dc6b7b6231a68c20058c03adb0f8d1
SHA1 904d6e0a2549b8420caf81d9b5083330f0fdbf3c
SHA256 29f83ce326725266487ffe7d8c08ab33bf6ecb565861aa2a18b294c6b376a4b8
SHA512 e5e58e727dc5a7efae3bca388df8e8158cd2c2171acd205a770e152c1e160ee6dc6000afe3b4eba2edb7a775047e8cdc9406b0dd279bc4963e69dbe420036444

C:\Users\Admin\AppData\Local\Temp\_MEI45882\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI45882\base_library.zip

MD5 763d1a751c5d47212fbf0caea63f46f5
SHA1 845eaa1046a47b5cf376b3dbefcf7497af25f180
SHA256 378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7
SHA512 bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45

C:\Users\Admin\AppData\Local\Temp\_MEI45882\_ctypes.pyd

MD5 c8afa1ebb28828e1115c110313d2a810
SHA1 1d0d28799a5dbe313b6f4ddfdb7986d2902fa97a
SHA256 8978972cf341ccd0edf8435d63909a739df7ef29ec7dd57ed5cab64b342891f0
SHA512 4d9f41bd23b62600d1eb097d1578ba656b5e13fd2f31ef74202aa511111969bb8cfc2a8e903de73bd6e63fadaa59b078714885b8c5b8ecc5c4128ff9d06c1e56

C:\Users\Admin\AppData\Local\Temp\_MEI45882\python3.DLL

MD5 8dbe9bbf7118f4862e02cd2aaf43f1ab
SHA1 935bc8c5cea4502d0facf0c49c5f2b9c138608ed
SHA256 29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db
SHA512 938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

C:\Users\Admin\AppData\Local\Temp\_MEI45882\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI45882\_lzma.pyd

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e