Overview

overview

10

Static

static

1

RNSM00462.7z

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00462.7z

  • Size

    43.1MB

  • Sample

    241008-yfrcrayglm

  • MD5

    16c1b775fd61d301fa85b64ef9c7c972

  • SHA1

    64e4463c7e974480061fb8c8787e7b4ca789f861

  • SHA256

    194c7d681f8c905c6f89414ebf06a71f851e38b391bad73902aa4b4e73806a4c

  • SHA512

    a391321473117cf178d1a4b4fa79b5bce5f96764660f67270e713da1693a127004897b8eaaa83bde83d87546b9b5b4aeb6c3e486b761ab9f1894561acfd1830c

  • SSDEEP

    786432:PqcCaXezoivPTCchXuW2lzMjzc3fWZRaGtXrdycC51FE+7+x1jGcx7+7i72v7j+q:PqPqeztTCiXuPlzMEPsRft5bC51FEp1O

Score
10/10
asyncratcryptbotnanocorenjratredlinesectopratsmokeloadersnakekeyloggerurelasbadyadefaulthackedytzipagilenetbackdoorcollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

badya

C2

2.tcp.ngrok.io:12438

Mutex

5e4a8dc8cd9d3a2e42914844f5688d1f

Attributes
  • reg_key

    5e4a8dc8cd9d3a2e42914844f5688d1f

  • splitter

    |'|'|

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:287

mytestdns123.mooo.com:6606

mytestdns123.mooo.com:7707

mytestdns123.mooo.com:8808

mytestdns123.mooo.com:287

testdns.ydns.eu:6606

testdns.ydns.eu:7707

testdns.ydns.eu:8808

testdns.ydns.eu:287
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_file

    AsyncRAT.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

mgoogloe.ddns.net:3055

Mutex

608b43860bd3442535512bd18040ddc1

Attributes
  • reg_key

    608b43860bd3442535512bd18040ddc1

  • splitter

    |'|'|

Extracted

Family

cryptbot

C2

knuzjh62.top

morwye06.top
Attributes
  • payload_url

    http://sarjeb09.top/download.php?file=lv.exe

Extracted

Family

nanocore

Version

1.2.2.0

C2

darkrig.ddns.net:54984

127.0.0.1:54984
Mutex

2f20429c-c6e2-4e93-b919-bfd4058948f7

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2018-09-14T22:24:42.173380636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    true

  • connect_delay

    4000

  • connection_port

    54984

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    2f20429c-c6e2-4e93-b919-bfd4058948f7

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    darkrig.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.30.235

218.54.31.165

112.175.88.207

112.175.88.208

Extracted

Family

redline

Botnet

ytzip

C2

135.148.139.222:33569

Extracted

Family

snakekeylogger

Credentials

Targets

    • Target

      RNSM00462.7z

    • Size

      43.1MB

    • MD5

      16c1b775fd61d301fa85b64ef9c7c972

    • SHA1

      64e4463c7e974480061fb8c8787e7b4ca789f861

    • SHA256

      194c7d681f8c905c6f89414ebf06a71f851e38b391bad73902aa4b4e73806a4c

    • SHA512

      a391321473117cf178d1a4b4fa79b5bce5f96764660f67270e713da1693a127004897b8eaaa83bde83d87546b9b5b4aeb6c3e486b761ab9f1894561acfd1830c

    • SSDEEP

      786432:PqcCaXezoivPTCchXuW2lzMjzc3fWZRaGtXrdycC51FE+7+x1jGcx7+7i72v7j+q:PqPqeztTCiXuPlzMEPsRft5bC51FEp1O

    Score
    10/10
    asyncratcryptbotnanocorenjratredlinesectopratsmokeloadersnakekeyloggerurelasbadyadefaulthackedytzipagilenetbackdoorcollectioncredential_accessdefense_evasiondiscoveryevasionexecutioninfostealerkeyloggerpersistenceprivilege_escalationratspywarestealertrojanupx

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • CryptBot

      CryptBot is a C++ stealer distributed widely in bundle with other software.

      spywarestealercryptbot

    • CryptBot payload

    • Modifies WinLogon for persistence

      persistence

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

      trojanbackdoorsmokeloader

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • Urelas

      Urelas is a trojan targeting card games.

      trojanurelas

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Modifies Windows Firewall

      evasion

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

5
T1552

Credentials In Files

5
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

4
T1005

Email Collection

1
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks