General

  • Target

    CCleaner.zip

  • Size

    69.6MB

  • Sample

    241102-wmdn5a1ere

  • MD5

    96c5a1f7734e12ca8532ae046cd69657

  • SHA1

    506a9966b53fa3bd185c957ca66860a37a03883b

  • SHA256

    44cb295694f3332b31500c7d8408e6f93bb34a56617ae6850a205ed16c2a42a8

  • SHA512

    04ad6be5cb0a005ac7ad35664737457c61fdb6574e0f6cde6cc0c1d59ac9a83f43d832060cb7bd4f469edba33f37b1ffbaf1037761e8a1b56fae5ae7fcd06bd0

  • SSDEEP

    1572864:odGgTRKAeOnFhPUfaHj9x4Zo6W/JiWdBLkZAekooRN5r9WJw:WfRKAznFd92ZoPRiWdBYmekt1J6w

Malware Config

Targets

    • Target

      CCleaner.exe

    • Size

      69.8MB

    • MD5

      b223d29a27fc60f4c95645782a8d7699

    • SHA1

      ca86debdea62144a4bfdf8274461210b3018a742

    • SHA256

      23eda7958cd22e11d5daa39d5a82e5740512c9435a138214b98d1925520bf8e8

    • SHA512

      c99ecf82a6fa9cc0c649fb209788b7deaec89e17d41c2d09bd3cfea0407a66f1e169c0327d240e1ad2d8cb659882c68a1743f9ad9a7bcb5d3be924cb2fb044be

    • SSDEEP

      1572864:SDXgoR2AisPldgBPeSXM4Qdr9zvGWzEOJWkUC6LbPZRGFT:ipR2ANPlwWSc4QRpvGWzXgkUD3vqT

    • RuRAT

      RuRAT is a remote admin tool sold as legitimate software but regularly abused in malicious phishing campaigns.

    • Rurat family

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Blocklisted process makes network request

    • Checks for any installed AV software in registry

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks