Overview

overview

10

Static

static

10

app.exe

windows7-x64

10

app.exe

windows10-2004-x64

10

arnatic_2.exe

windows7-x64

10

arnatic_2.exe

windows10-2004-x64

10

arnatic_3.exe

windows7-x64

10

arnatic_3.exe

windows10-2004-x64

7

arnatic_4.exe

windows7-x64

9

arnatic_4.exe

windows10-2004-x64

9

arnatic_5.exe

windows7-x64

10

arnatic_5.exe

windows10-2004-x64

10

arnatic_6.exe

windows7-x64

10

arnatic_6.exe

windows10-2004-x64

10

arnatic_7.exe

windows7-x64

10

arnatic_7.exe

windows10-2004-x64

10

null.exe

windows7-x64

10

null.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ca0aef7482908df28ea75b42f8b26236aecfcc5b37421fdc0d309cee15500506

  • Size

    6.8MB

  • Sample

    241104-rxgfjs1dpf

  • MD5

    b96ce989c772a073b1bcc341a37787e3

  • SHA1

    2c66915d1384818a982eacb364acb5e86c2a66fc

  • SHA256

    ca0aef7482908df28ea75b42f8b26236aecfcc5b37421fdc0d309cee15500506

  • SHA512

    d7094d7a93019235ec6fb193bb0df27063f761f11b6eb0ba38cf69c43db435e6355370106d3c2a87ac566ca4ebcd07ae68e1845047280995f7d35d2d1d430ff5

  • SSDEEP

    196608:t86NetLpl2zCh3a3Dlrn7LKzwRfh1ZscQAedF1cHISas:O6NejMzChaDlrn7Lkkic0dF1Jc

Score
10/10
fabookiefickerstealergluptebametasploitprivateloaderredlineriseprosectopratsmokeloaderanicanapub6backdoordiscoverydropperevasioninfostealerloaderpersistenceprivilege_escalationratrootkittrojanupx

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

Ani

C2

yaklalau.xyz:80

Extracted

Family

redline

Botnet

Cana

C2

176.111.174.254:56328

Extracted

Family

fickerstealer

C2

bukkva.club:80

Extracted

Family

smokeloader

Botnet

pub6

Targets

    • Target

      app.exe

    • Size

      4.5MB

    • MD5

      ea57c9a4177b1022ec4d053af865cbc9

    • SHA1

      7ec0f509955223f91ff3f225bfdc53e5ec56a6d8

    • SHA256

      0e2bcbe99b84383cfa549598d998bddce096daa94e1eb6dfbfa66d3cf12cc1e4

    • SHA512

      a889aa2439957fb8d78c1d582f5f0a3c2a084e1e085ac1ef00a42d69d144599769c6bbb6c0ad24aaf310db9ac153b54970ec292cc75d1bacbb57c1f603297802

    • SSDEEP

      98304:zCAdBEbQw8N1k4UvgFzDRLIvPJDh6GIJD7k5iIl7nTFrfspCYmQ4:/k58N1RJavmrJs5X7T9lXQ4

    Score
    10/10
    gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba family

      glupteba

    • Glupteba payload

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Metasploit family

      metasploit

    • Windows security bypass

      evasiontrojan

    • Modifies boot configuration data using bcdedit

    • Drops file in Drivers directory

    • Modifies Windows Firewall

      evasion

    • Possible attempt to disable PatchGuard

      Rootkits can use kernel patching to embed themselves in an operating system.

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Manipulates WinMon driver.

      Roottkits write to WinMon to hide PIDs from being detected.

      rootkitevasion

    • Manipulates WinMonFS driver.

      Roottkits write to WinMonFS to hide directories/files from being detected.

      rootkitevasion
    behavioral1behavioral2

    • Target

      arnatic_2.exe

    • Size

      323KB

    • MD5

      69b2b0208246bf893409e69a862eef76

    • SHA1

      839b1236dc249fa9f19f717ffb42896e09fd9d5e

    • SHA256

      d9d4fee430f16d00256908e81a7b735954cad46807da9cd40c28435e5bcf0105

    • SHA512

      422762cbd84626f9bf95735479b6832f1970b8498e3f767275c62a9c94c7d46b4525b1af93f3925b2a0fb01bc73ec246792eab1ce02a9245f33cf8d02011e7d8

    • SSDEEP

      6144:4rYjDIFTxzTnnKDLLFExp2HVfdwQlUb2Axn14ubuJEOEPKriC5:7jDcTxzTnKD8p2HVfGQUHF14ugAlu

    Score
    10/10
    smokeloaderpub6backdoortrojandiscovery
    behavioral3behavioral4

    • Target

      arnatic_3.exe

    • Size

      680KB

    • MD5

      7837314688b7989de1e8d94f598eb2dd

    • SHA1

      889ae8ce433d5357f8ea2aff64daaba563dc94e3

    • SHA256

      d8c28d07c365873b4e8332f057f062e65f2dd0cd4d599fd8b16d82eca5cf4247

    • SHA512

      3df0c24a9f51a82716abb8e87ff44fdb6686183423d1f2f7d6bfb4cd03c3a18490f2c7987c29f3e1b2d25c48d428c2e73033998a872b185f70bb68a7aedb3e7c

    • SSDEEP

      12288:Umn1vBXNJl0P3ZbcCAjqH0d5Q+qUH6wyZQMvvdgMiCIT:n1vJNJla39cGH0d+7sOlQCIT

    Score
    10/10
    discovery

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      arnatic_4.exe

    • Size

      972KB

    • MD5

      5668cb771643274ba2c375ec6403c266

    • SHA1

      dd78b03428b99368906fe62fc46aaaf1db07a8b9

    • SHA256

      d417bd4de6a5227f5ea5cff3567e74fe2b2a25c0a80123b7b37b27db89adc384

    • SHA512

      135bd12414773cc84270af5225920a01487626528d7bbc2b703be71652265772c2e5488ee3f7e2c53b0b01c617b8c7920e0b457472b6724cfa9ec4c390b0a55a

    • SSDEEP

      24576:r2FhEQuE3w782S+UWIO5/6TNkdBAnlXG6+Z1mbXRV:Q/3w782SzWn5/akUlXF+Z1IBV

    Score
    9/10
    discoveryupx

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      arnatic_5.exe

    • Size

      780KB

    • MD5

      fd4160bc3c35b4eaed8c02abd8e2f505

    • SHA1

      3c7bcdc27da78c813548a6465d59d00c4dc75bba

    • SHA256

      46836190326258f65c9dbc1930b01e9d3de04996a1a2c79e39a36c281d79fe0a

    • SHA512

      37e671e355c6a533c3273f2af12277b4457719e9b2d4fa9859386eae78010a9be6e63941f85b319ce5c9f98867f82a067bca16c208d2d38dee9f0fee0f656895

    • SSDEEP

      24576:i77o8t0b5e8dzMdQG/6dfwun9elTFl64D:1jdgdR/+IunmTvxD

    Score
    10/10
    discoveryevasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan
    behavioral10behavioral9

    • Target

      arnatic_6.exe

    • Size

      387KB

    • MD5

      c549246895fdf8d8725255427e2a7168

    • SHA1

      ae7e4d99b82e6aba4366b34eba32b750d75a0234

    • SHA256

      e607c6376ebb6db55e15852b51dfe666a09eb498c00cc86be9491564b5751c1d

    • SHA512

      b6e8694d3e2bea07072dc643e6c2fe96defc2c8f2f7d9364e7cc1e8568039e340d81c541a8fbb91cd5e9b41b2b97716c0d22844cf179c16b53f96b7f64efc41a

    • SSDEEP

      12288:B1alverQ2vhIc9fNS0JHz/WJUCUldYIwhW3ofgKzb:La

    Score
    10/10
    redlinesectopratanidiscoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

    • Target

      arnatic_7.exe

    • Size

      397KB

    • MD5

      fe5c49e95574a208cdcd0cbbd38d4e04

    • SHA1

      c79e4a68e3499f66d6ed628911aed4868ce362ea

    • SHA256

      14cb2597414f705abc44a0c54322f995d4ac54b75b50daf64dc3b61895c9f6ea

    • SHA512

      cfbb2e8b3cf7fe2729ec3189ed18379251a8ed0b9803f3290bfe11be149331b79ec063eb4b506ee18b00d363c2b4b58b6c5d979ee8f03f9277735b5f5fab91a7

    • SSDEEP

      6144:RgG2QIaoviJXS4tkOGhK85JOMnfJ/z1ZLdQKFKRsoVyhcdKriC:x2QfoviJC4t0K850MfJ/z1rQKFKNtdl

    Score
    10/10
    redlinesectopratcanadiscoveryinfostealerrattrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat
    behavioral13behavioral14

    • Target

      null.exe

    • Size

      445KB

    • MD5

      f3a5853a448abbe8b10144d11401d835

    • SHA1

      3b1faf00ff991c603fd6c9b01ba1f01e535bf5d4

    • SHA256

      91a7a0dd8930ad66fc44cac3720d7db83fda6f9902c967e47bec0d67cafc6631

    • SHA512

      9c6b30a077859dfdc2e5d59d451096bc5089b3be8f44c7787cb4e82462789b50925964c2048ac7989699b47421622ed1d4c01507e56c87d7d5e83ef5253844cc

    • SSDEEP

      12288:3kcf3zuGM5Zyc2YBXzziGlTA7W/+PzSYF6ey:3D3zuGMPA8TAvzuey

    Score
    10/10
    fickerstealerdiscoveryinfostealer

    • Fickerstealer

      Ficker is an infostealer written in Rust and ASM.

      infostealerfickerstealer

    • Fickerstealer family

      fickerstealer

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

5
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Modify Registry

5
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

fabookieprivateloaderrisepro
Score
10/10

behavioral1

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral2

gluptebametasploitbackdoordiscoverydropperevasionloaderpersistenceprivilege_escalationrootkittrojan
Score
10/10

behavioral3

smokeloaderpub6backdoortrojan
Score
10/10

behavioral4

smokeloaderpub6backdoordiscoverytrojan
Score
10/10

behavioral5

discovery
Score
10/10

behavioral6

discovery
Score
7/10

behavioral7

discoveryupx
Score
9/10

behavioral8

discoveryupx
Score
9/10

behavioral9

discoveryevasiontrojan
Score
10/10

behavioral10

discoveryevasiontrojan
Score
10/10

behavioral11

redlinesectopratanidiscoveryinfostealerrattrojan
Score
10/10

behavioral12

redlinesectopratanidiscoveryinfostealerrattrojan
Score
10/10

behavioral13

redlinesectopratcanadiscoveryinfostealerrattrojan
Score
10/10

behavioral14

redlinesectopratcanadiscoveryinfostealerrattrojan
Score
10/10

behavioral15

fickerstealerdiscoveryinfostealer
Score
10/10

behavioral16

fickerstealerdiscoveryinfostealer
Score
10/10