General

  • Target

    DoomRat.exe

  • Size

    13.1MB

  • Sample

    241008-t1l7baydqc

  • MD5

    6edaf9dbb1f9426909264824021cba05

  • SHA1

    24bd6481d35ec036a487d3da299f6ce3b417a511

  • SHA256

    e7723e324e357744eff9f182753e352845687e6fd3d1e9ee8eb6655fe8283cd4

  • SHA512

    9deaf0c6dfe74e3f155798bd66830e0dbbc9cc4d389518ae64b64712a78780e728a4c613c60775a1afd52216299f91f77c7609693f6a7631da39b607a3734d28

  • SSDEEP

    393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Extracted

Family

asyncrat

Botnet

Default

C2

natural-familiar.gl.at.ply.gg:65030

Attributes
  • delay

    1

  • install

    true

  • install_file

    search.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

HF

C2

kingjosh.no-ip.org:1604

Mutex

DC_MUTEX-M6FNK6S

Attributes
  • gencode

    H0K3aGyMCu9N

  • install

    false

  • offline_keylogger

    true

  • persistence

    false

Extracted

Family

stealc

Botnet

doma

C2

http://185.215.113.37

Attributes
  • url_path

    /e2b1563c6670f193.php

Extracted

Family

latentbot

C2

chaetlolilol.zapto.org

Targets

    • Target

      DoomRat.exe

    • Size

      13.1MB

    • MD5

      6edaf9dbb1f9426909264824021cba05

    • SHA1

      24bd6481d35ec036a487d3da299f6ce3b417a511

    • SHA256

      e7723e324e357744eff9f182753e352845687e6fd3d1e9ee8eb6655fe8283cd4

    • SHA512

      9deaf0c6dfe74e3f155798bd66830e0dbbc9cc4d389518ae64b64712a78780e728a4c613c60775a1afd52216299f91f77c7609693f6a7631da39b607a3734d28

    • SSDEEP

      393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo

    • Ardamax

      A keylogger first seen in 2013.

    • Ardamax main executable

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Detect Neshta payload

    • Detect XtremeRAT payload

    • Detects MyDoom family

    • Disables service(s)

    • Floxif, Floodfix

      Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

    • Gh0st RAT payload

    • Gh0strat

      Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    • LatentBot

      Modular trojan written in Delphi which has been in-the-wild since 2013.

    • Modifies WinLogon for persistence

    • Modifies firewall policy service

    • MyDoom

      MyDoom is a Worm that is written in C++.

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • Stealc

      Stealc is an infostealer written in C++.

    • UAC bypass

    • Windows security bypass

    • XtremeRAT

      The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • Detects Floxif payload

    • XMRig Miner payload

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

    • Executes dropped EXE

    • Loads dropped DLL

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

    • Network Share Discovery

      Attempt to gather information on host network.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks