Resubmissions

30-09-2024 01:10

240930-bjef2atgje 7

29-09-2024 20:05

240929-yt7xnaxhqr 10

General

  • Target

    DoomRat.exe

  • Size

    13.1MB

  • Sample

    240929-yt7xnaxhqr

  • MD5

    567b550c62dc82e09dd15b9c32e0c72e

  • SHA1

    3397499e49714d4bd4fbb49525cf3df06ec7d5eb

  • SHA256

    5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0

  • SHA512

    5156d85a00591caa08df22f5536fc4b43099774a1d05386f4890561eaf388dedc5685c6cbe5d461da3c7fb2a7fa630291bdbb0bc56fb765cc89d1c2adfafcb35

  • SSDEEP

    393216:bGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:uFQZ2YwUlJn1QtIm28Inpzo

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    chyrka228.exe

  • pastebin_url

    https://pastebin.com/raw/MdxXj6A4

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

xtremerat

C2

far3on.zapto.org

Targets

    • Target

      DoomRat.exe

    • Size

      13.1MB

    • MD5

      567b550c62dc82e09dd15b9c32e0c72e

    • SHA1

      3397499e49714d4bd4fbb49525cf3df06ec7d5eb

    • SHA256

      5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0

    • SHA512

      5156d85a00591caa08df22f5536fc4b43099774a1d05386f4890561eaf388dedc5685c6cbe5d461da3c7fb2a7fa630291bdbb0bc56fb765cc89d1c2adfafcb35

    • SSDEEP

      393216:bGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:uFQZ2YwUlJn1QtIm28Inpzo

    • Adds autorun key to be loaded by Explorer.exe on startup

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Berbew

      Berbew is a backdoor written in C++.

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • Detect XtremeRAT payload

    • Detect Xworm Payload

    • Disables service(s)

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • Modifies visibility of file extensions in Explorer

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • XMRig Miner payload

    • Modifies Windows Firewall

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Files and Directories

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks