Malware Analysis Report

2024-11-13 18:20

Sample ID 240927-wcxdgsvhqc
Target Doenerium Builder.exe
SHA256 fd111c335073ae9b9f33d1f3e348bcbc46dd0b90de333156c2dbbee62412374b
Tags
pyinstaller adware antivm apt upx backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter doomrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd111c335073ae9b9f33d1f3e348bcbc46dd0b90de333156c2dbbee62412374b

Threat Level: Known bad

The file Doenerium Builder.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller adware antivm apt upx backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter doomrat

DoomRat

Doomrat family

Loads dropped DLL

Detects Pyinstaller

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-09-27 17:47

Signatures

DoomRat

adware antivm apt upx backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter
Description Indicator Process Target
N/A N/A N/A N/A

Doomrat family

doomrat

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-27 17:47

Reported

2024-09-27 17:47

Platform

win7-20240903-en

Max time kernel

0s

Max time network

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe"

C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI26482\ucrtbase.dll

MD5 a9f5b06fae677c9eb5be8b37d5fb1cb9
SHA1 5c37b880a1479445dd583f85c58a8790584f595d
SHA256 4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52
SHA512 5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

C:\Users\Admin\AppData\Local\Temp\_MEI26482\api-ms-win-core-file-l1-2-0.dll

MD5 852904535068e569e2b157f3bca0c08f
SHA1 c79b4d109178f4ab8c19ab549286eee4edf6eddb
SHA256 202b77cd363fce7c09d9a59b5779f701767c8734cc17bbe8b9ece5a0619f2225
SHA512 3e814678c7aa0d3d3a637ce3048e3b472dbb01b2e2a5932e5b257aa76bf8de8117a38e2a352daff66939a73c1b971b302f5635ea1d826b8a3afa49f9b543a541

C:\Users\Admin\AppData\Local\Temp\_MEI26482\api-ms-win-core-localization-l1-2-0.dll

MD5 f1d0595773886d101e684e772118d1ef
SHA1 290276053a75cbeb794441965284b18311ab355d
SHA256 040e1572da9a980392184b1315f27ebcdaf07a0d94ddf49cbd0d499f7cdb099a
SHA512 db57f4ae78f7062cfe392d6829c5975be91d0062ff06725c45c06a74e04ade8bcaf709cfebeba8146fb4396206141aa49572968ea240aa1cba909e43985dc3ee

C:\Users\Admin\AppData\Local\Temp\_MEI26482\api-ms-win-core-processthreads-l1-1-1.dll

MD5 e26a5e364a76bf00feaab920c535adbb
SHA1 411eaf1ca1d8f1aebcd816d93933561c927f2754
SHA256 b3c0356f64e583c8aca3b1284c6133540a8a12f94b74568fb78ddc36eac6ab15
SHA512 333e42eeea07a46db46f222e27429facaaf2ce8a433f0c39f5d5c72e67d894c813d3cf77880434f6373e0d8fffa3ef96d5f37e38dd4775491f3da2b569e9df59

C:\Users\Admin\AppData\Local\Temp\_MEI26482\api-ms-win-core-timezone-l1-1-0.dll

MD5 566232dabd645dcd37961d7ec8fde687
SHA1 88a7a8c777709ae4b6d47bed6678d0192eb3bc3f
SHA256 1290d332718c47961052ebc97a3a71db2c746a55c035a32b72e5ff00eb422f96
SHA512 e5d549c461859445006a4083763ce855adbb72cf9a0bcb8958daa99e20b1ca8a82dec12e1062787e2ae8aee94224b0c92171a4d99ed348b94eab921ede205220

C:\Users\Admin\AppData\Local\Temp\_MEI26482\api-ms-win-core-file-l2-1-0.dll

MD5 cdfc83e189bda0ac9eab447671754e87
SHA1 cf597ee626366738d0ea1a1d8be245f26abbea72
SHA256 f4811f251c49c9ae75f9fe25890bacede852e4f1bfdc6685f49096253a43f007
SHA512 659ee46e210fcad6c778988a164ce3f69a137d05fb2699ff662540cbb281b38719017f1049d5189fafdae06c07a48d3d29dd98e11c1cae5d47768c243af37fe9

C:\Users\Admin\AppData\Local\Temp\_MEI26482\python312.dll

MD5 cae8fa4e7cb32da83acf655c2c39d9e1
SHA1 7a0055588a2d232be8c56791642cb0f5abbc71f8
SHA256 8ad53c67c2b4db4387d5f72ee2a3ca80c40af444b22bf41a6cfda2225a27bb93
SHA512 db2190da2c35bceed0ef91d7553ff0dea442286490145c3d0e89db59ba1299b0851e601cc324b5f7fd026414fc73755e8eff2ef5fb5eeb1c54a9e13e7c66dd0c

\Users\Admin\AppData\Local\Temp\_MEI26482\python312.dll

MD5 e61d17e809f9616c866ea0eb71297817
SHA1 05e1736ad3c07d0749de89fc930c71b6ae9c0c67
SHA256 c3ac4e0c26fa75dd7a1efa58640eb65a1ec143c3e7e1ef1e506895d8860edb39
SHA512 72adba2642bcafd9b373a5b550fcfeb817430403bfc0189e9dc08b223a7d26dea8c4668b40a38f89ca4127425d325b9954a0bf43dd43c4f65e5f24f485a20baa

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-27 17:47

Reported

2024-09-27 17:47

Platform

win10v2004-20240802-en

Max time kernel

0s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe"

C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Doenerium Builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 udp
N/A 2.23.210.83:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI50042\ucrtbase.dll

MD5 a9f5b06fae677c9eb5be8b37d5fb1cb9
SHA1 5c37b880a1479445dd583f85c58a8790584f595d
SHA256 4e9e93fd6486571e1b5dce381fa536fb6c5593584d3330368ccd47ee6107bf52
SHA512 5d7664716fa52f407d56771862262317ac7f4a03f31f209333c3eea7f1c8cf3d5dbafc1942122948d19208d023df220407014f47e57694e70480a878822b779a

C:\Users\Admin\AppData\Local\Temp\_MEI50042\ucrtbase.dll

MD5 f809fcfed5e6bf4010a78b34a285fcf6
SHA1 3931d95b361c2509901e04b1038381086bdbcef0
SHA256 877af01b54cdc6b378c48f7682570cf18b5f4bbc510ef3950cabe41ed7754d8b
SHA512 6e3935128bc3dbbc0b693f2d3c1f934556b13acc2d3f30bcae7cfad8634a98d5ae46b892cdd58146cc60cb290aaf8b684161f0b8e5b09869ebcf0e40bdeb27ab

C:\Users\Admin\AppData\Local\Temp\_MEI50042\python312.dll

MD5 73a609f2b67fc8b082ca9f718ed28d28
SHA1 04311cf540be805938d4d203ec7ec91a66dd849d
SHA256 75428d7e5f741ff23768cd77267f4d080ccf07f36afc7553a2847474aefb96ed
SHA512 955f985d8687d1b221d4a1217b9be51e740f6605fd9f9ceb766e25587aca194b5f517a5d9b24af780d32c637778ddc5f88484aa811cd658a1ba2a4c4e133e4bd