General

  • Target

    bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3

  • Size

    51.4MB

  • Sample

    241114-k5jsbawgnd

  • MD5

    5b44285747891464c496aa477e450f10

  • SHA1

    73417ded382af2e0f3fca04d8d07679af134038b

  • SHA256

    bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3

  • SHA512

    6855cc7f80972bd9ec0b138220636aca9b4e24e5a2d5663cf5147ee154b0d28a08facbbb44dcb336eefce7fccc6296d0644ed3a2e1b81f2cc0de8a616fccafe6

  • SSDEEP

    12288:TbjNtn78DnM5CnYFE/oS2P5NdhuKp5AyE9KpNwZ66T9Nzk:TNto2i/J2P5ThuM5XE9aNwZs

Malware Config

Targets

    • Target

      bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3

    • Size

      51.4MB

    • MD5

      5b44285747891464c496aa477e450f10

    • SHA1

      73417ded382af2e0f3fca04d8d07679af134038b

    • SHA256

      bb83597cdf057db754def79d3f94b6cf8837b358178e10e4cc792da56a7523b3

    • SHA512

      6855cc7f80972bd9ec0b138220636aca9b4e24e5a2d5663cf5147ee154b0d28a08facbbb44dcb336eefce7fccc6296d0644ed3a2e1b81f2cc0de8a616fccafe6

    • SSDEEP

      12288:TbjNtn78DnM5CnYFE/oS2P5NdhuKp5AyE9KpNwZ66T9Nzk:TNto2i/J2P5ThuM5XE9aNwZs

    • Detect Rokrat payload

    • Rokrat

      Rokrat is a remote access trojan written in c++.

    • Rokrat family

    • Blocklisted process makes network request

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

MITRE ATT&CK Enterprise v15

Tasks