General
-
Target
dontrun.exe
-
Size
10.7MB
-
Sample
241002-yjxzpstcqp
-
MD5
5520edc0639334d87e92c2b53e36803d
-
SHA1
3e7c547fd3f437a7fe4c09c8767dbcc5118d3dcf
-
SHA256
4a1ed7a206b3c4aa83b3c38f9a8f68cb5b875702afdb240b7b307616519bd0e9
-
SHA512
0824441ad3fd96aef8dc14ba89cf1d1f8ca6d513b89181b8d4b00803d2b64462c1da66ff52ce2a1e6726e80845e29c6694149a1c1a3d0177b99482056dc5b1dd
-
SSDEEP
196608:rqzv86gV6rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lS8Qnf2ODjMnGydS8LrBOCRWs:yWVehZ2YsHFUK2JAdQJlaF3MnG38LrBR
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Targets
-
-
Target
dontrun.exe
-
Size
10.7MB
-
MD5
5520edc0639334d87e92c2b53e36803d
-
SHA1
3e7c547fd3f437a7fe4c09c8767dbcc5118d3dcf
-
SHA256
4a1ed7a206b3c4aa83b3c38f9a8f68cb5b875702afdb240b7b307616519bd0e9
-
SHA512
0824441ad3fd96aef8dc14ba89cf1d1f8ca6d513b89181b8d4b00803d2b64462c1da66ff52ce2a1e6726e80845e29c6694149a1c1a3d0177b99482056dc5b1dd
-
SSDEEP
196608:rqzv86gV6rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lS8Qnf2ODjMnGydS8LrBOCRWs:yWVehZ2YsHFUK2JAdQJlaF3MnG38LrBR
Score10/10-
Berbew
Berbew is a backdoor written in C++.
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Cobalt Strike reflective loader
Detects the reflective loader used by Cobalt Strike.
-
Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detect Blackmoon payload
-
Detects MyDoom family
-
Disables service(s)
-
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
-
MyDoom
MyDoom is a Worm that is written in C++.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Detects Floxif payload
-
XMRig Miner payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Stops running service(s)
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Loads dropped DLL
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1