ae0ba7ecf43d1ee0a4cb8784d3730d56b773b95e7518bd9842d8defed69e83e8

Sharing

Copy URL

Twitter E-mail

General

Target

Raid_Recovery.exe
Size

7.6MB
Sample

241108-pks8gascrd
MD5

2535e906ec2e36ef9fb2c94ce851ca8d
SHA1

31518d602483f06560010effaa12e99f6610d726
SHA256

ae0ba7ecf43d1ee0a4cb8784d3730d56b773b95e7518bd9842d8defed69e83e8
SHA512

cf86f3a70a377eee31e8fbab4b2b71cd96e71f81ea04c7475f92ad8d9022b283f7e21eb61c17f52b6c28b4cdafee8f1c914cc3a43063aab6cbcf64f1c55a3dc1
SSDEEP

196608:9nrp/d1H8ERh5xMYkegR8M4r2lFQKekvuGrilmtAonBdrLLEAq:rPzd+5v+M6mtuG/dx/2

Score

10^/10

Malware Config

Targets

- Target
  
  Raid_Recovery.exe
- Size
  
  7.6MB
- MD5
  
  2535e906ec2e36ef9fb2c94ce851ca8d
- SHA1
  
  31518d602483f06560010effaa12e99f6610d726
- SHA256
  
  ae0ba7ecf43d1ee0a4cb8784d3730d56b773b95e7518bd9842d8defed69e83e8
- SHA512
  
  cf86f3a70a377eee31e8fbab4b2b71cd96e71f81ea04c7475f92ad8d9022b283f7e21eb61c17f52b6c28b4cdafee8f1c914cc3a43063aab6cbcf64f1c55a3dc1
- SSDEEP
  
  196608:9nrp/d1H8ERh5xMYkegR8M4r2lFQKekvuGrilmtAonBdrLLEAq:rPzd+5v+M6mtuG/dx/2
Score

7^/10

bootkit discovery persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  14KB
- MD5
  
  325b008aec81e5aaa57096f05d4212b5
- SHA1
  
  27a2d89747a20305b6518438eff5b9f57f7df5c3
- SHA256
  
  c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
- SHA512
  
  18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
- SSDEEP
  
  192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  Alligator.k52
- Size
  
  2.2MB
- MD5
  
  d666a86984ec158c67bc83018f81ec85
- SHA1
  
  ec8e5be9e4f23babfe0b4f05bd4cdada1fe84ec9
- SHA256
  
  089472c6086ec0523dda6a710f7765ed9ca2210bf77ba4c8b2cfb8d05e69c2a0
- SHA512
  
  0c68979de62e4db77b96af6117567fae95f991eba4cea2bfa376b99a381e49bdf1a3a7f8daf44326790e4d9f57ca489a311f2c2dc90db650ea56873b49c21e63
- SSDEEP
  
  49152:cpDwb990wMty9wz6kWh9+W5AB+R81m7EB+g9G5ZXg8klSJIHvryTI/eVAB:8DkMtyyzZs5o+27wgk5ZQ8FIOMvB
Score

5^/10

discovery upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral5 behavioral6
- Target
  
  MIG_29.dll
- Size
  
  292KB
- MD5
  
  18ab16431c7bf0d034dfa150ca7939cf
- SHA1
  
  2f3bb21f5f1ef9dd6a27ce24f36fb1f800201877
- SHA256
  
  941c9465363df4fecdaa9592768eca03600763efd6b4ca8e520b471220b749d3
- SHA512
  
  f5332579f4344ebc35b246c60bf9206baf8f1908516bdd40a43bfe99f7539a4efc596ea2acfc940ed8c0ca1077c6f6046eb2072c67ea08c6acdfb4dbf996b66b
- SSDEEP
  
  6144:prXJF7hAUessw5KZg2P0XBZEwZu96B9XuwVYBH0VZlfMu4GjAOA0u7:lPEssspuIBWt0VnMu4S7u
Score

3^/10

discovery
behavioral7 behavioral8
- Target
  
  PascalStreams.dll
- Size
  
  86KB
- MD5
  
  15aacef96e0673400bddae0c3a97462c
- SHA1
  
  51fdb75bd4a27386b960a19308620868c48cff1d
- SHA256
  
  a767d213f1fa41bddfaad8540f987fbf39516802ace609916f336cb808afd40a
- SHA512
  
  e07b43379ccc42d8d86342db8437d78bfecca4c9e1033d9691557c27480c98bbed081486db34c74e1f1ce2ecf26376aa92ebd5e0b4e32fcdcabc6a49a26963af
- SSDEEP
  
  1536:pjqjoQTOKuovbvTspOaQcNFeSe4Edi3sXxC7gCKKmvXlu3mvj7dHUM9:8obtgvssanNFeS9EM3IxC7gCKdvVHvfb
Score

3^/10

discovery
behavioral10 behavioral9
- Target
  
  StarBurn.dll
- Size
  
  634KB
- MD5
  
  56c8cd1368ffcf4b1bdfc2e0b5030d70
- SHA1
  
  6186f2983412d0ee5456915550db2012738f9521
- SHA256
  
  07d3b623c763bd1039b35897933159a264bf127b707d335ddf340ee01d09bda4
- SHA512
  
  4e082103d09dbcc29fd2e8c0bd844a4856122e0e1d00a22c151703c06381057d1d6a83e2a1266a3bcd60a1a5d686d4081ae7f2d442b820ba921bfdb10b3699dc
- SSDEEP
  
  12288:s/gzbn9GQYAcfGqrv86eb2VPpnxgzpKY1:Uc32v8lb2nmzf1
Score

3^/10

discovery
behavioral11 behavioral12
- Target
  
  Uninstall.exe
- Size
  
  66KB
- MD5
  
  ad4408b7e7d47924a9e1d8442fe06c69
- SHA1
  
  441821e2444406529168059ffce99516227b7af8
- SHA256
  
  d56802ef3c2d22037de0da86ea96789a36a95ffec018d414abdce47f31f82920
- SHA512
  
  5f4917141b839b3729472cf12780e3fb31e31ed3d7c4e4cd3a530bacc8746ce608afcbf8a72aa6f744d0c4eb3c44f4f60009e4de25a8fb21cfb795e3aa59bb7e
- SSDEEP
  
  1536:NLXB65939tY6HBg4sXJwYRN6Qc/Pdl2M6s3:NLk395hYXJwqOl2MR
Score

7^/10

discovery phishing
- A potential corporate email address has been identified in the URL: [email protected]
  phishing
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
behavioral13 behavioral14
- Target
  
  $PLUGINSDIR/InstallOptions.dll
- Size
  
  14KB
- MD5
  
  325b008aec81e5aaa57096f05d4212b5
- SHA1
  
  27a2d89747a20305b6518438eff5b9f57f7df5c3
- SHA256
  
  c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
- SHA512
  
  18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
- SSDEEP
  
  192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
Score

3^/10

discovery
behavioral15 behavioral16
- Target
  
  bs_load.di
- Size
  
  466KB
- MD5
  
  15abbe3c15e018da7ef56841af33cb74
- SHA1
  
  7a91dca0f03b175929ded67625d79a5430c3ceff
- SHA256
  
  c0980bfddf43bbd6df2441f2dfa46f98f04b7b4d0f4f079b60abaaa21a1ab3e0
- SHA512
  
  c84e95cca9f8b901fe904937b70c23f7b86dc1037905d8bf0c6f8602a41abf4305bc1eb925447c1b74123d974b2f752eccfdd184ddf6cef6d7eb7194832d2ce1
- SSDEEP
  
  12288:EBQstBghoWlHkXMzIuZFquh4cilkfiEW:8DYhoWlHml3u9iqf
Score

3^/10

discovery
behavioral17 behavioral18
- Target
  
  bs_wm.di
- Size
  
  64KB
- MD5
  
  1321edc324c693184631b27870745b75
- SHA1
  
  aadda09fe92940aaac81c7733c3b636ea9592f34
- SHA256
  
  c00718b18ed6d0ee5021ff1a35f164676385c5b23f40ae332af6ea7805af3a9a
- SHA512
  
  5ce976ef98ee882f5dc2ae5366e5e08461ffa292b26bc1a24cf2bff52543f4ebd1eeaa3bf07616520d689d7b1afbdde6c3483ce9dfba59eb0ebaca3f170a9a4b
- SSDEEP
  
  1536:sPheLWulsWgcovqchWxhOMyP6mJiSmX9DBZ/B:sQlsW5ov3hEhY6mJiSmX9DBJB
Score

3^/10

discovery
behavioral19 behavioral20
- Target
  
  i386/CbFsMntNtf3.dll
- Size
  
  151KB
- MD5
  
  d48ecfbbcbfee2b91f369394759bcdb3
- SHA1
  
  3b19a6eba987f850a09dd8d4b4e9a4f5a12b99a8
- SHA256
  
  1cbfad3699e6b14a56d9c55caeb65253d440e426431278a0968cc0308a8d1d95
- SHA512
  
  2840869544bc099ad7b7c327ba2f1bf4e4cea27414c43b19a425b9e2b2ec971a4d93ce79253dfe7ecc8a463fa45e1c50b24342bfefd3fcfb199f5d586604b73c
- SSDEEP
  
  1536:W8B5kdgz33c6J9N2YXxn+42sgqf/jme/SSbaEEUkggEG34cvhWVPIWtZrm8gCy4F:W8gO3Tn2YXxNB7jorVQhIWtZrHgJ4W+
Score

10^/10

adware discovery persistence stealer
- Adds autorun key to be loaded by Explorer.exe on startup
  persistence
- Modifies Shared Task Scheduler registry keys
  persistence
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
behavioral21 behavioral22
- Target
  
  i386/CbFsNetRdr3.dll
- Size
  
  211KB
- MD5
  
  06cab63531728cd07c4d338f65bd89bd
- SHA1
  
  d384dbe90d710b0b568d5ab3b418912699663ce2
- SHA256
  
  85a43ad4075ce9051f8fc9dfbda983da84e337803e6463fec4467c6147034b0e
- SHA512
  
  95ddb6c1b9b79ff72a65a2ccfb841f431692a8db1eacc758a7e5b98a21ea0ae77be2cff1d182a5eec283f7feabfd28dfec1eaa9b59798f8476dd7187b6a6cf41
- SSDEEP
  
  3072:ihvQV83s8dx3sKUKZ/TpWQYlbrThbdgtL6PZLie/eGbUCVmTzrr2h40qkISFDCtl:iGV8933UKvNqTYgPoGQNEZFW
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  i386/cbfs3.sys
- Size
  
  269KB
- MD5
  
  b849d37ab7b0fba5db44e9be3bbecc82
- SHA1
  
  bfa82ea861fa476da74c6b21f5be0d0123d5000b
- SHA256
  
  44541d9088b105f29e5d585c9e9130ed193e48d50c920e9d2d87bd4f84608034
- SHA512
  
  9c0511e88eec0c43a4ff910d2599cc5a4ff9a3822c7c5734b45e480c5eed8032611b2a76cd0e3f9a7485c39f37b7d715c21b26d0ab1b2877f4533f58c90bbbce
- SSDEEP
  
  3072:JUvXQ/uHrVRJspz9JEAF0+Vn/FzueFpdVvZ7OT/UkCUa6WVZLVi7EtTSWBS6213F:iwICPpdNZ0C6WVZVi7EAeS6a3Mc
Score

1^/10
behavioral25 behavioral26
- Target
  
  ia64/CbFsMntNtf3.dll
- Size
  
  846KB
- MD5
  
  cb406a2828997e6e5589f80d1359595d
- SHA1
  
  55aa923b3951930c6bf3284eb9fb80c792631561
- SHA256
  
  aee52ecd6ea543c6c26fc587ef44ba29603d8e595b3cf0e7329c8af0c9be5dd5
- SHA512
  
  4a0e9fd1187e3bbae2d57f9d4416e89ec7a882a8ce51a464a91fbe41e09ec04f06dc1c3dc2507138b9bc2d42a39f2579e257b436908ed2b0bedb27e93ecc8eca
- SSDEEP
  
  6144:5dWtK7SFM8bOneReK3OSQzxXqpZn894TrdTgE0eNCLS/oeROMYWL3TiTdPCNLvJz:9I/bCEgWPjqmXETf4v1
Score

1^/10
behavioral27 behavioral28
- Target
  
  ia64/CbFsNetRdr3.dll
- Size
  
  659KB
- MD5
  
  366fdf2c48ae92ac8bf14005381775ef
- SHA1
  
  2ecadca08a55be2da55f7519e664999a63c5ccb4
- SHA256
  
  4596bd54aeb41a62ae33a3b154ed9b53dfbde58b4c0379aff20e826eaadc3646
- SHA512
  
  a0d4e810a04b43a97e60a1bd4855250b0fb878336d8f939b7f5393bbe5311102cb4a68c4f4f181618950a1880342ce96a3bf69131aef51ac56b3be051bddd34a
- SSDEEP
  
  6144:AUbQ0qY/5q+YTaM8ub0aA7zBQ5GnxkKGe/TYc/KI2Ixnwdq1e+L+niBIaoDz6wD8:D+yhr1e8lcmViz6tbwaiHO
Score

1^/10
behavioral29 behavioral30
- Target
  
  wow64sup.exe
- Size
  
  91KB
- MD5
  
  c2c17a13a69ef7bec4b19537c3b90d0b
- SHA1
  
  6f3e1b8daa25f4c302b7cbc106ec0a4374a37ef9
- SHA256
  
  6506fa30073caafa4ee9a7df56867022f888d0bca751c028c5fdc70c87f0f4f5
- SHA512
  
  9005ad0b12d108443b07ab0ef6bc01dce257a0196851f1516ca2b45f17e7e41aef04e87678b628f913b1ecccdddd44062cefd2b10deb4120a73d81f9b5a018c0
- SSDEEP
  
  1536:jfJ7YkfdzojISANxTjZBeio97qw3K7RtVyVaJqHPIfciLXqhdoVu:oI9NBlBei0q8KGVacHPIfciL63
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Writes to the Master Boot Record (MBR)

UPX packed file

A potential corporate email address has been identified in the URL: [email protected]

Checks BIOS information in registry

Deletes itself

Executes dropped EXE

Loads dropped DLL

Adds autorun key to be loaded by Explorer.exe on startup

Modifies Shared Task Scheduler registry keys

Installs/modifies Browser Helper Object

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32