General
-
Target
DoomRat.exe
-
Size
13.1MB
-
Sample
240929-yt7xnaxhqr
-
MD5
567b550c62dc82e09dd15b9c32e0c72e
-
SHA1
3397499e49714d4bd4fbb49525cf3df06ec7d5eb
-
SHA256
5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0
-
SHA512
5156d85a00591caa08df22f5536fc4b43099774a1d05386f4890561eaf388dedc5685c6cbe5d461da3c7fb2a7fa630291bdbb0bc56fb765cc89d1c2adfafcb35
-
SSDEEP
393216:bGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:uFQZ2YwUlJn1QtIm28Inpzo
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
chyrka228.exe
-
pastebin_url
https://pastebin.com/raw/MdxXj6A4
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Extracted
azorult
http://195.245.112.115/index.php
Extracted
xtremerat
far3on.zapto.org
Targets
-
-
Target
DoomRat.exe
-
Size
13.1MB
-
MD5
567b550c62dc82e09dd15b9c32e0c72e
-
SHA1
3397499e49714d4bd4fbb49525cf3df06ec7d5eb
-
SHA256
5c4e60801dd978710cdce9a43bcd6e14e3fa8e6790dc981b4ad25307628b41a0
-
SHA512
5156d85a00591caa08df22f5536fc4b43099774a1d05386f4890561eaf388dedc5685c6cbe5d461da3c7fb2a7fa630291bdbb0bc56fb765cc89d1c2adfafcb35
-
SSDEEP
393216:bGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:uFQZ2YwUlJn1QtIm28Inpzo
-
Adds autorun key to be loaded by Explorer.exe on startup
-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Detect Blackmoon payload
-
Detect XtremeRAT payload
-
Detect Xworm Payload
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies visibility of file extensions in Explorer
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
XMRig Miner payload
-
Modifies Windows Firewall
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Uses the VBS compiler for execution
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Hide Artifacts: Hidden Files and Directories
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
3Windows Service
3Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
3Impair Defenses
2Disable or Modify System Firewall
2Indicator Removal
1File Deletion
1Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Discovery
Network Share Discovery
1Query Registry
1Remote System Discovery
1System Information Discovery
1System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1System Time Discovery
1