Overview

overview

10

Static

static

10

DoomRat.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DoomRat.exe

  • Size

    13.1MB

  • Sample

    241008-t1l7baydqc

  • MD5

    6edaf9dbb1f9426909264824021cba05

  • SHA1

    24bd6481d35ec036a487d3da299f6ce3b417a511

  • SHA256

    e7723e324e357744eff9f182753e352845687e6fd3d1e9ee8eb6655fe8283cd4

  • SHA512

    9deaf0c6dfe74e3f155798bd66830e0dbbc9cc4d389518ae64b64712a78780e728a4c613c60775a1afd52216299f91f77c7609693f6a7631da39b607a3734d28

  • SSDEEP

    393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo

Score
10/10
ardamaxasyncratdarkcometdoomratfloxifgh0stratlatentbotmydoomneshtasalitystealcxmrigxtremeratdefaultdomahf antivm apt backdoor banker bootkit botnet clipper collection crypter discovery downloader dropper evasion exploit exploiter upxadwareaspackv2backdoordefense_evasiondiscoveryevasionexecutionkeyloggerminerpersistencepyinstallerratspywarestealertrojanupxworm

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

asyncrat

Botnet

Default

C2

natural-familiar.gl.at.ply.gg:65030

Attributes
  • delay

    1

  • install

    true

  • install_file

    search.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

HF

C2

kingjosh.no-ip.org:1604

Mutex

DC_MUTEX-M6FNK6S

Attributes
  • gencode

    H0K3aGyMCu9N

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

stealc

Botnet

doma

C2

http://185.215.113.37

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

latentbot

C2

chaetlolilol.zapto.org

Targets

    • Target

      DoomRat.exe

    • Size

      13.1MB

    • MD5

      6edaf9dbb1f9426909264824021cba05

    • SHA1

      24bd6481d35ec036a487d3da299f6ce3b417a511

    • SHA256

      e7723e324e357744eff9f182753e352845687e6fd3d1e9ee8eb6655fe8283cd4

    • SHA512

      9deaf0c6dfe74e3f155798bd66830e0dbbc9cc4d389518ae64b64712a78780e728a4c613c60775a1afd52216299f91f77c7609693f6a7631da39b607a3734d28

    • SSDEEP

      393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo

    Score
    10/10
    ardamaxasyncratdarkcometfloxifgh0stratlatentbotmydoomneshtasalitystealcxmrigxtremeratdefaultdomahfaspackv2backdoordefense_evasiondiscoveryevasionexecutionkeyloggerminerpersistenceratspywarestealertrojanupxworm

    • Ardamax

      A keylogger first seen in 2013.

      keyloggerstealerardamax

    • Ardamax main executable

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Detect Neshta payload

    • Detect XtremeRAT payload

    • Detects MyDoom family

    • Disables service(s)

      evasionexecution

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

      backdoortrojanfloxif

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

      ratgh0strat

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

      trojanlatentbot

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • MyDoom

      MyDoom is a Worm that is written in C++.

      wormmydoom

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • Stealc

      Stealc is an infostealer written in C++.

      stealerstealc

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

      persistencespywareratxtremerat

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • Detects Floxif payload

      backdoor

    • XMRig Miner payload

      miner

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

4
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

2
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Indicator Removal

1
T1070

File Deletion

1
T1070.004

Modify Registry

9
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Time Discovery

1
T1124

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks