General
-
Target
DoomRat.exe
-
Size
13.1MB
-
Sample
241008-t1l7baydqc
-
MD5
6edaf9dbb1f9426909264824021cba05
-
SHA1
24bd6481d35ec036a487d3da299f6ce3b417a511
-
SHA256
e7723e324e357744eff9f182753e352845687e6fd3d1e9ee8eb6655fe8283cd4
-
SHA512
9deaf0c6dfe74e3f155798bd66830e0dbbc9cc4d389518ae64b64712a78780e728a4c613c60775a1afd52216299f91f77c7609693f6a7631da39b607a3734d28
-
SSDEEP
393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo
Static task
static1
Behavioral task
behavioral1
Sample
DoomRat.exe
Resource
win10-20240404-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
asyncrat
Default
natural-familiar.gl.at.ply.gg:65030
-
delay
1
-
install
true
-
install_file
search.exe
-
install_folder
%AppData%
Extracted
darkcomet
HF
kingjosh.no-ip.org:1604
DC_MUTEX-M6FNK6S
-
gencode
H0K3aGyMCu9N
-
install
false
-
offline_keylogger
true
-
persistence
false
Extracted
stealc
doma
http://185.215.113.37
-
url_path
/e2b1563c6670f193.php
Extracted
latentbot
chaetlolilol.zapto.org
Targets
-
-
Target
DoomRat.exe
-
Size
13.1MB
-
MD5
6edaf9dbb1f9426909264824021cba05
-
SHA1
24bd6481d35ec036a487d3da299f6ce3b417a511
-
SHA256
e7723e324e357744eff9f182753e352845687e6fd3d1e9ee8eb6655fe8283cd4
-
SHA512
9deaf0c6dfe74e3f155798bd66830e0dbbc9cc4d389518ae64b64712a78780e728a4c613c60775a1afd52216299f91f77c7609693f6a7631da39b607a3734d28
-
SSDEEP
393216:uGV21SQhZ2YsHFUK2Jn1+TtIiFQS2NXNsIX3WabTToj:5FQZ2YwUlJn1QtIm28Inpzo
-
Ardamax main executable
-
Detect Neshta payload
-
Detect XtremeRAT payload
-
Detects MyDoom family
-
Gh0st RAT payload
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Detects Floxif payload
-
XMRig Miner payload
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Create or Modify System Process
2Windows Service
2Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Indicator Removal
1File Deletion
1Modify Registry
9