Overview

overview

10

Static

static

10

DoomRat.exe

windows10-1703-x64

10

Resubmissions

30-09-2024 01:10

240930-bjef2atgje 7

29-09-2024 20:05

240929-yt7xnaxhqr 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DoomRat.exe

  • Size

    13.1MB

  • Sample

    240929-yt7xnaxhqr

  • MD5

    567b550c62dc82e09dd15b9c32e0c72e

  • SHA1

    3397499e49714d4bd4fbb49525cf3df06ec7d5eb

  • SHA256

    5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0

  • SHA512

    5156d85a00591caa08df22f5536fc4b43099774a1d05386f4890561eaf388dedc5685c6cbe5d461da3c7fb2a7fa630291bdbb0bc56fb765cc89d1c2adfafcb35

  • SSDEEP

    393216:bGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:uFQZ2YwUlJn1QtIm28Inpzo

Score
10/10
azorultberbewblackmoondoomratponyramnitxmrigxtremeratxworm antivm apt backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter upxadwarebackdoorbankercredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerminerpersistencepyinstallerratspywarestealertrojanupxworm

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Extracted

Family

xworm

Attributes
  • Install_directory

    %Temp%

  • install_file

    chyrka228.exe

  • pastebin_url

    https://pastebin.com/raw/MdxXj6A4

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

xtremerat

C2

far3on.zapto.org

Targets

    • Target

      DoomRat.exe

    • Size

      13.1MB

    • MD5

      567b550c62dc82e09dd15b9c32e0c72e

    • SHA1

      3397499e49714d4bd4fbb49525cf3df06ec7d5eb

    • SHA256

      5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0

    • SHA512

      5156d85a00591caa08df22f5536fc4b43099774a1d05386f4890561eaf388dedc5685c6cbe5d461da3c7fb2a7fa630291bdbb0bc56fb765cc89d1c2adfafcb35

    • SSDEEP

      393216:bGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:uFQZ2YwUlJn1QtIm28Inpzo

    Score
    10/10
    azorultberbewblackmoonponyramnitxmrigxtremeratxwormbackdoorbankercredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerminerpersistenceratspywarestealertrojanupxworm

    • Adds autorun key to be loaded by Explorer.exe on startup

      persistence

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

      trojaninfostealerazorult

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Detect XtremeRAT payload

    • Detect Xworm Payload

    • Disables service(s)

      evasionexecution

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies visibility of file extensions in Explorer

      evasion

    • Pony,Fareit

      Pony is a Remote Access Trojan application that steals information.

      ratspywarestealerpony

    • Ramnit

      Ramnit is a versatile family that holds viruses, worms, and Trojans.

      trojanspywarestealerwormbankerramnit

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • XMRig Miner payload

      miner

    • Modifies Windows Firewall

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops desktop.ini file(s)

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Drops file in System32 directory

    • Hide Artifacts: Hidden Files and Directories

      defense_evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

3
T1564

Hidden Files and Directories

3
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

2
T1562.004

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

6
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Network Share Discovery

1
T1135

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks