Overview

overview

10

Static

static

3

x.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    x.exe

  • Size

    11.6MB

  • Sample

    241004-r4yneateqh

  • MD5

    db34e85e25da2e5b3b8ff777bbb68e4c

  • SHA1

    7c0e50f60c6470e0b8b6bedd89e4fe7f85df52cf

  • SHA256

    9382ff9b4e5ed4b170c306526dad14d4b3fc8d2f0e0c3f7febd6fa3e9d797adf

  • SHA512

    35053bb9f51f7f9f166e3f41cedd663e6a7733cb78f9236282177d8b9d986239c26fca5db9a5a95c0cbf05bfdd78769f63dc698a2e05cde52f3dc7197b51170e

  • SSDEEP

    196608:/B7v86gV1rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lM8Qnf2ODjMnGydScSEPVrBO8:tWV9hZ2YsHFUK2JAdQJlsF3MnG3tOVr5

Score
10/10
ardamaxberbewblackmooncobaltstrikefloxifgh0stratmodiloaderbackdoorbankercollectiondefense_evasiondiscoveryevasionexecutionkeyloggerpyinstallerratstealertrojanupx

Malware Config

Extracted

Family

berbew

C2

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Targets

    • Target

      x.exe

    • Size

      11.6MB

    • MD5

      db34e85e25da2e5b3b8ff777bbb68e4c

    • SHA1

      7c0e50f60c6470e0b8b6bedd89e4fe7f85df52cf

    • SHA256

      9382ff9b4e5ed4b170c306526dad14d4b3fc8d2f0e0c3f7febd6fa3e9d797adf

    • SHA512

      35053bb9f51f7f9f166e3f41cedd663e6a7733cb78f9236282177d8b9d986239c26fca5db9a5a95c0cbf05bfdd78769f63dc698a2e05cde52f3dc7197b51170e

    • SSDEEP

      196608:/B7v86gV1rbQQOOl2szsHFUK2r7UyTAdQmR8dA6lM8Qnf2ODjMnGydScSEPVrBO8:tWV9hZ2YsHFUK2JAdQJlsF3MnG3tOVr5

    Score
    10/10
    ardamaxberbewblackmooncobaltstrikefloxifgh0stratmodiloaderbackdoorbankercollectiondefense_evasiondiscoveryevasionexecutionkeyloggerratstealertrojanupx

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • Berbew

      Berbew is a backdoor written in C++.

      backdoorberbew

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Cobalt Strike reflective loader

      Detects the reflective loader used by Cobalt Strike.

    • Cobaltstrike

      Detected malicious payload which is part of Cobaltstrike.

      trojanbackdoorcobaltstrike

    • Detect Blackmoon payload

    • Disables service(s)

      evasionexecution

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Detects Floxif payload

      backdoor

    • ModiLoader Second Stage

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasionexecution

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Uses the VBS compiler for execution

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • System Binary Proxy Execution: Verclsid

      Adversaries may abuse Verclsid to proxy execution of malicious code.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

3
T1543

Windows Service

3
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

System Binary Proxy Execution

1
T1218

Verclsid

1
T1218.012

Credential Access

Discovery

Process Discovery

1
T1057

System Information Discovery

1
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Command and Control

Exfiltration

Impact

Service Stop

2
T1489

Tasks