Overview

overview

10

Static

static

10

Avernus/Av...us.exe

windows7-x64

1

Avernus/Av...us.exe

windows10-2004-x64

1

DLL/Built.exe

windows7-x64

7

DLL/Built.exe

windows10-2004-x64

8

Avernus/Av...xe.lnk

windows7-x64

3

Avernus/Av...xe.lnk

windows10-2004-x64

3

Avernus/Av...or.exe

windows7-x64

7

Avernus/Av...or.exe

windows10-2004-x64

8

Avernus/Av...pi.dll

windows7-x64

1

Avernus/Av...pi.dll

windows10-2004-x64

1

Avernus/Av...ct.dll

windows7-x64

1

Avernus/Av...ct.dll

windows10-2004-x64

7

Avernus/Av...ct.dll

windows7-x64

1

Avernus/Av...ct.dll

windows10-2004-x64

1

Avernus/Av...64.dll

windows7-x64

1

Avernus/Av...64.dll

windows10-2004-x64

1

Avernus/Av...64.dll

windows7-x64

1

Avernus/Av...64.dll

windows10-2004-x64

1

Avernus/Av...sh.dll

windows7-x64

1

Avernus/Av...sh.dll

windows10-2004-x64

1

Avernus/Av...td.dll

windows7-x64

1

Avernus/Av...td.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Avernus.zip

  • Size

    23.8MB

  • Sample

    241103-yfjmxatamj

  • MD5

    4caa96433e32bc6e75520eee388a38eb

  • SHA1

    991e1a7c5f59f4707410889b849ff078a704aefa

  • SHA256

    4b60b2960da8862d8ddb07ca1a96302bc591110dc1898a0bc6495e4fbacd56ad

  • SHA512

    662cac6844f44f58f7dea59fe543f7a0e45379ab9b529c8d9e871b7a98bd15cf799b2b1cdc1ea862017975fbc1b0194264f25c5ad3d175a4105e67f07fb2fbf2

  • SSDEEP

    393216:jRUkeH++Ar8g75a9rqf+Yg+0lI0sU9GEtDgF9S3SG0U87MCZFt8Sxsxv4yrm:VUpmla9vk0+klgF7s8YwFWSKv6

Score
10/10
blankgrabbercollectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealerupxvmprotect

Malware Config

Targets

    • Target

      Avernus/Avernus/Avernus.exe

    • Size

      26KB

    • MD5

      32f006dfd6e5398112459024c77d1ee6

    • SHA1

      36c76a0f06ddc2f4eebfb4d27827ed44cd5e5ed6

    • SHA256

      57f38af93d01730d3046d79462cca62c8d7a97c052c48f59e4ec02b2dc497375

    • SHA512

      3954d128d88c93a097500b4563afcd29f5017675c98f1a58e878798cb0c68f020d4ce68aa75190f69873927d9db16b482bf60941493f50cb7ca5b03d87c4c659

    • SSDEEP

      384:lrA5gZ2zi9Zfg7N+G2TB0dkvwKwq6u3H37nokwMwA2GVYEmsREwmTRwXEO1efBfv:BA5g7ZId2TBrSHs/cRwXF1qyPPI

    Score
    1/10
    behavioral1behavioral2

    • Target

      DLL/Built.exe

    • Size

      7.6MB

    • MD5

      a51fa12917ee0b019099602cf9dff962

    • SHA1

      1632a80a702eae55aa6b48aa28023ece28a7a89b

    • SHA256

      5342ca75a92236a45edf7c1128bddd93615cc9939086b5c9b6742818b1ca4d71

    • SHA512

      df3885cf205924f3ebc174b8f202427331980ae6fc33a7f2aa7cf73eeb79db13c879d95859d9bc9b40034c1187ac5ce1c4b0e82a0a74ab1f7a23c24fe51907c3

    • SSDEEP

      196608:YggHYgwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jE:hnIHziK1piXLGVE4Ue0VJY

    Score
    8/10
    upxcollectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral3behavioral4

    • Target

      Avernus/Avernus/DLLJector/AvernusInjector.exe.lnk

    • Size

      2KB

    • MD5

      434a18f84a002af2370ed27409b9bf09

    • SHA1

      343531480efb53e3e82f3b14ce8224d24adf7711

    • SHA256

      2eec46904c062ca8fd10d4b805b099e00b118ebc49211b1102fc3286e6af9707

    • SHA512

      5737d9fc0efa61f528c58a33a0a894d8b77d74a36eb24e01fc881d38dfe1bdc95f231b5bc604b0499a80261a47a477bcd83c63b92b8808b5c88a92658ac9fdb5

    Score
    3/10
    behavioral5behavioral6

    • Target

      Avernus/Avernus/DLLJector/DLL/AvernusInjector.exe

    • Size

      7.6MB

    • MD5

      a51fa12917ee0b019099602cf9dff962

    • SHA1

      1632a80a702eae55aa6b48aa28023ece28a7a89b

    • SHA256

      5342ca75a92236a45edf7c1128bddd93615cc9939086b5c9b6742818b1ca4d71

    • SHA512

      df3885cf205924f3ebc174b8f202427331980ae6fc33a7f2aa7cf73eeb79db13c879d95859d9bc9b40034c1187ac5ce1c4b0e82a0a74ab1f7a23c24fe51907c3

    • SSDEEP

      196608:YggHYgwfI9jUCzi4H1qSiXLGVi7DMgpZ3Q0VMwICEc/jE:hnIHziK1piXLGVE4Ue0VJY

    Score
    8/10
    upxcollectiondefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      Avernus/Avernus/ForlornApi.dll

    • Size

      13KB

    • MD5

      058ef6e6dd8e5f17e364f7d5f9dab315

    • SHA1

      6d64a4e120231086a439553a38bd5273f4304609

    • SHA256

      9a20b5ea85f727a3456dc78484faab523be7b1cecb934721ec5ff5a11da24a54

    • SHA512

      ab9927365111aea26ffd172e8a449b0c3c2b6fdcf69bfd19d1fb36b0e27644ed7fd58d3c1586c1bec1c52f000548c4b36c0279c1d12728b5b0e2688c8dab9dc8

    • SSDEEP

      192:2T8pAUmIXruvxa8LhYWoii0PxKo1uELE3aEf++eNJL+2ianWJQvtVq+j9:08xlXeph7oVOD1uEHNNZJtVj9

    Score
    1/10
    behavioral10behavioral9

    • Target

      Avernus/Avernus/ForlornInject.dll

    • Size

      6.3MB

    • MD5

      6d9c8971c2b99866e32cfe2438269490

    • SHA1

      ddfb0023f230f2aa247cad3ada03e863739bd5ca

    • SHA256

      bad099e3a1dd5bcb48606d3b0a7d7399f5c2b4af9f9b0dfa3dba6b7451da14ed

    • SHA512

      f1c79b02a980c0c989b950ec2bcaae15c0f476d5675bcc58b8266a555f4bb46688d84d90b5e87bc4abf9e212d7c88406066994317bca4998b901ae4382d4b1b2

    • SSDEEP

      98304:pSO6zBrjT8/GMwg8I222UYbRNqylblygjSR5GDN09aBq/NkTxbCypypUsAkrbc:pSO6pA/GMw3IyfPHN5TN5yy1qc

    Score
    7/10
    vmprotect

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect
    behavioral11behavioral12

    • Target

      Avernus/Avernus/bin/ForlornInject.dll

    • Size

      914KB

    • MD5

      aaacc42fe524a519fd8a9c816a7e75ee

    • SHA1

      eb3df303b9de04cbdbbf65200b5bf622896126be

    • SHA256

      056461da47c04027d27477caf538e37de50b0adbee1b1db44b1d0723321cea90

    • SHA512

      6ff90b5f5b1f98e72016869c3e4d6ef58e138413f58e948f5140d2d7c538dd4635d0058d249827e20795c3df7e967a8181e655dd0028fc55146c257726bac44f

    • SSDEEP

      12288:EVrXIB4YwZupOHFl7iLrUkbs8rYosavWwIptQMWOHlp6eKCXYwh6hz6:E44H0pODexVrYoDu3fQ/O2eKC

    Score
    1/10
    behavioral13behavioral14

    • Target

      Avernus/Avernus/bin/libcrypto-3-x64.dll

    • Size

      4.5MB

    • MD5

      f9498e2e5be8278782708633650342d0

    • SHA1

      56632f42827d7d65bc10480730b74b6102a8071a

    • SHA256

      be4d803f15b8a200ad2edaa3828dd5f0e6350dd033edd7aeb4cae0dd7f00c531

    • SHA512

      d07c44f05bb2c79a09570288fecef55ea048b797c37ccefa086d21971d0162c4cdacb7e0ec5c5ed2ac7d821150d1fd6a8a7367e7f4c737ce4838c31b005d63ae

    • SSDEEP

      98304:ol+kK7ppAfhvCDuWu2PuOs1CPwDvt3uFGCC:EE7XAfhvCDuWu2mOs1CPwDvt3uFGCC

    Score
    1/10
    behavioral15behavioral16

    • Target

      Avernus/Avernus/bin/libssl-3-x64.dll

    • Size

      802KB

    • MD5

      533267ce589b1076c69cdc82231158ab

    • SHA1

      953df3a2728a2bd7e2becb28985dfa0c42402a9b

    • SHA256

      474210a8c8b679855796c2a602f707a886b74b16833f044fe0591adfe618b8d7

    • SHA512

      5903f4fff2c7008e54ab2d71fac756bd5d8b7c5cfa24b917cdfa82d55ff85b88ebffbd9c872730d241068c3ee78a15a11953682ff2856a4d046601f2441c0df8

    • SSDEEP

      12288:ygrAZCU3OegTlcFlyeq/yyfMi3m9t/Fz/b6UiXM+H6VyfU6OdEVB3AA:R6CU3q6FD1H6Ui8+ayidEVB3AA

    Score
    1/10
    behavioral17behavioral18

    • Target

      Avernus/Avernus/bin/xxhash.dll

    • Size

      47KB

    • MD5

      efa2cd16a47d15deaf348156eb6e14d8

    • SHA1

      f8c8807210ae3c2557d928e634fce6e34d48a576

    • SHA256

      3fb171ca29d11a9f4f296d0732a5fbf5b0b0bb8b83926784b1fff168175c68b2

    • SHA512

      bf268a01c693ac40644f5aea93a21005a8b35ae0c935e663ebeeba2afa91e46efa3ef0b9209c3328dc73ca52e71fdb85cd301f73bdc03aa1bd0d54e9307b1c0f

    • SSDEEP

      768:s1WkmhW508rbV9uoF6QV8nBT+RYOsYeZbK9DSPot87xq8auTUol:s1aW5BrbuHbnBiGO9SbToyxq8auT

    Score
    1/10
    behavioral19behavioral20

    • Target

      Avernus/Avernus/bin/zstd.dll

    • Size

      638KB

    • MD5

      fcbc4271f6b949ebe5fc7f02c7732378

    • SHA1

      81bdcf7fc286bedd3cb9575fa97673752f53e3e5

    • SHA256

      115a2e56238e05299e65111b8361b8de3324f188d172129ca4fc641b56ad0a7e

    • SHA512

      c2c416cf41b76530c301d12be62ef490d45d260b1a1aa1e7be3512215f3ffbce88792e70bb159f4982947a1a8fbf4df38c2e7119a8a124ccfeeab6d2a2bf95f8

    • SSDEEP

      6144:/qd76u2e8QuAkx7OT5evcME1Tk82zXtrwXgOTmkriCiaNFcuU2JmR/RXusb:i4u2IuAWcMEgzXt8QCmZCiaAuUn

    Score
    1/10
    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Process Discovery

1
T1057

System Information Discovery

3
T1082

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks