Overview

overview

10

Static

static

3

SchooisMul...up.exe

windows7-x64

7

SchooisMul...up.exe

windows10-2004-x64

8

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Files/Apps/7z.bat

windows7-x64

10

Files/Apps/7z.bat

windows10-2004-x64

8

Files/Apps...F4.bat

windows7-x64

8

Files/Apps...F4.bat

windows10-2004-x64

8

Files/Apps/bts.bat

windows7-x64

3

Files/Apps/bts.bat

windows10-2004-x64

8

Files/Apps/chrome.bat

windows7-x64

6

Files/Apps/chrome.bat

windows10-2004-x64

8

Files/Apps/ctt.bat

windows7-x64

3

Files/Apps/ctt.bat

windows10-2004-x64

8

Files/Apps...ch.bat

windows7-x64

6

Files/Apps...ch.bat

windows10-2004-x64

8

Files/Apps...ox.bat

windows7-x64

1

Files/Apps...ox.bat

windows10-2004-x64

8

Files/Apps/flux.bat

windows7-x64

3

Files/Apps/flux.bat

windows10-2004-x64

8

Files/Apps/geek.bat

windows7-x64

10

Files/Apps/geek.bat

windows10-2004-x64

10

Files/Apps/git.bat

windows7-x64

8

Files/Apps/git.bat

windows10-2004-x64

8

Files/Apps/logo.bat

windows7-x64

1

Files/Apps/logo.bat

windows10-2004-x64

1

Files/Apps/pcm.bat

windows7-x64

8

Files/Apps/pcm.bat

windows10-2004-x64

8

Files/Apps/ps7.bat

windows7-x64

10

Files/Apps/ps7.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SchooisMultitoolSetup.exe

  • Size

    421KB

  • Sample

    241120-g4v76ssejc

  • MD5

    22a4e07eda10238a87e7effd7b12926d

  • SHA1

    232499c11afbb30ba211c0cab9466c6d2f4e0b66

  • SHA256

    4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

  • SHA512

    cc63c63e47e36950334ce8f41d29db70e0018d71215aac2a73e71402ccded0f0bc7b5de696c52fe5adac1249229a0ca9e30f5743df32ceea13b2f1ecea960e74

  • SSDEEP

    12288:XfYis11Dexvq/deq8PeP4M4b9wOGfaehcJf+y8JeUfYR:XfYis11Dexvq/deq8PeP4bpaKp+yhFR

Score
10/10
discoverydropperexecutionpersistenceprivilege_escalationspywarestealerupx

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://community.chocolatey.org/install.ps1

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://chocolatey.org/install.ps1

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/SchooiCodes/file_hosting/main/7z.ps1

Targets

    • Target

      SchooisMultitoolSetup.exe

    • Size

      421KB

    • MD5

      22a4e07eda10238a87e7effd7b12926d

    • SHA1

      232499c11afbb30ba211c0cab9466c6d2f4e0b66

    • SHA256

      4b9e4bbd675a45f1a99d54bff55576ba3c6d79ab76ea30e143d89fc1543e8580

    • SHA512

      cc63c63e47e36950334ce8f41d29db70e0018d71215aac2a73e71402ccded0f0bc7b5de696c52fe5adac1249229a0ca9e30f5743df32ceea13b2f1ecea960e74

    • SSDEEP

      12288:XfYis11Dexvq/deq8PeP4M4b9wOGfaehcJf+y8JeUfYR:XfYis11Dexvq/deq8PeP4bpaKp+yhFR

    Score
    8/10
    discoveryexecution

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      192639861e3dc2dc5c08bb8f8c7260d5

    • SHA1

      58d30e460609e22fa0098bc27d928b689ef9af78

    • SHA256

      23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

    • SHA512

      6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

    • SSDEEP

      192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      b7d61f3f56abf7b7ff0d4e7da3ad783d

    • SHA1

      15ab5219c0e77fd9652bc62ff390b8e6846c8e3e

    • SHA256

      89a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912

    • SHA512

      6467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8

    • SSDEEP

      96:ooEv02zUu56FcS817eTaXx85qHFcUcxSgB5PKtAtoniJninnt3DVEB3YMNqkzfFc:ooEvCu5e81785qHFcU0PuAw0uyyIFc

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      Files/Apps/7z.bat

    • Size

      844B

    • MD5

      1c451e2da79fef2d9321de2ea7b45441

    • SHA1

      d88c4420afd5ac5817d1ddf704ff662b91f2972d

    • SHA256

      bbd164eb4e0d58b109e765d9a2278c8cfcbc4096bbe75de823db05c2caa47b6e

    • SHA512

      0202c51a522665a0986bf6b0c9ed7497d0aa796f6cc9c085c40962c333e77f9cc309319d0487b800b9981f5932a109f62ab075088df55560285438bb7aef1751

    Score
    10/10
    executiondiscoverypersistenceprivilege_escalation

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral7behavioral8

    • Target

      Files/Apps/SuperF4.bat

    • Size

      534B

    • MD5

      561400dc8a63d4b4cc87cabac9e8422a

    • SHA1

      69502ed43cf6e495c060fac70a5ef37f4f15ca53

    • SHA256

      767bccd41110d92c69bba5aaceea296f7e0b61fd1f9e09a3fa1ed08e8a8b8282

    • SHA512

      8c3efaedb0c9d7bc9de04dbe0d9c2b7a33b2b40a2f0836e719aabdf6197d2c4cdeece3b5eb0276f3484236dc99b797d63324ababa5dd1d4220af693910f12046

    Score
    8/10
    discoveryexecution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral10behavioral9

    • Target

      Files/Apps/bts.bat

    • Size

      227B

    • MD5

      0cfdb01d34041f9e16ddd9f17e3f4789

    • SHA1

      393afcbc7fb973b5c2893b8085092f0c2c45311e

    • SHA256

      528ed4942a647ee78a31aaa788ef27b7fe747fcf9fc0e97192ad9a0aaf97c0c2

    • SHA512

      19e96f69fe9b335941b2ae107ca5eeb366825a399428df4af86faabc9f858e09b5bdb4080cff0db89c3a49dd26b77aa25b0e857572a4c39afddc112b113adcd0

    Score
    8/10
    executionpersistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral11behavioral12

    • Target

      Files/Apps/chrome.bat

    • Size

      402B

    • MD5

      d776640ad800949d98208ec997899b77

    • SHA1

      693b1050f6458c679fdb821e6ced8a79d5640143

    • SHA256

      8a3fb07e6e9765bf8c6b40c7cea663a4cf65ccf1d7519fac88e5e7ec5bf4613a

    • SHA512

      3c75486e8e3f6a46313d9c7b9c4791a73c09b0d138dabadc11f0767232927a89242682753736cc4ce22685530dddc241985f79a7dbfb34bbfa8f5d51a5ccf0c8

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral13behavioral14

    • Target

      Files/Apps/ctt.bat

    • Size

      206B

    • MD5

      7572c139fbfdb2a7c376581a6048b3dc

    • SHA1

      6d58696ac2de4ef789dc153e8a6100c74967fca6

    • SHA256

      0dd4a0a9e1521cb80ee601112d194ddb8a620f0bb86dee3bb8337174c48c27fa

    • SHA512

      bcb42aff70d65b53da7c4701614ddabaff5d4942b755de746843cfc207ba32a425f4e1ce24ab168bd4cdf516e16cdc95987d9c3350aeb12b5d7c11d9d8dc7928

    Score
    8/10
    execution

    • Blocklisted process makes network request

    behavioral15behavioral16

    • Target

      Files/Apps/fastfetch.bat

    • Size

      375B

    • MD5

      ee8a03fcbbfb22f1d163049207579c43

    • SHA1

      8d5f8aedc16d9840e71217bc65d3a6b49416c73a

    • SHA256

      b47a0737e02f77f70b6686f9c8de6f669586ed4e13d4f6d985d7097207601209

    • SHA512

      9cbeede49c420fee887513f285a3c4b4e358b180a4f544366dc6cc624dd59f707a6f4f1fb5dd1b149def44b9b9c3659ed73046a38258575c91fc8cf1ca6eb187

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral17behavioral18

    • Target

      Files/Apps/firefox.bat

    • Size

      1KB

    • MD5

      51258a272fb1a43d19a099ae5a49b918

    • SHA1

      88c3eb4a5cff1a2a97fa247a6a45a47e6803618e

    • SHA256

      dc6c130992a0b42cd6aec0b0ddcd84ef6f4d757c5d2b871f7cca4a641d2240e0

    • SHA512

      b67c94e8ac494301413cd7109b80e55bef97f2c5fb2b969bfc04a7a25b22bf8150d8c245688320bb1a62f8f6c8beb749b3c83a769fb06a59897fe8015c4d4009

    Score
    8/10
    discoveryspywarestealerupx

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral19behavioral20

    • Target

      Files/Apps/flux.bat

    • Size

      290B

    • MD5

      629667380059fb33d4933a722c139be3

    • SHA1

      a52944fdceef5368eaf140558066df825b35ea28

    • SHA256

      86d43de03fd141ad2180804577f817534f27cced767a8451b4804f47cc6037ee

    • SHA512

      ad474e7582751447067b002f2af3ab473d40087a3ce850551dbf2636887c3279aa58b57b930892585419e0df10e31deb42503bc787cb394df9dcea4ce1abed92

    Score
    8/10
    executiondiscoverypersistence

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral21behavioral22

    • Target

      Files/Apps/geek.bat

    • Size

      1KB

    • MD5

      0234fed5fac93a5888925331acabd441

    • SHA1

      4af4ac61ccacfb361c39d86b7c7700476deca049

    • SHA256

      9090767211e7b2b5c23304712fe55e3beeea78364a95088bab3554174fc51eee

    • SHA512

      df148b1b048336731293ce6d2c5d0e7bb0dd0806254aa447d47e0216885a93f284c2aa93bddca67dd2b345f549837f8942b3f088092c58ffff238ae91b861636

    Score
    10/10
    execution

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral23behavioral24

    • Target

      Files/Apps/git.bat

    • Size

      634B

    • MD5

      b038cfe94c61d0c4fafd3980c02b7ee5

    • SHA1

      51a5a125614a2aab749db78d1c1541a496b2d146

    • SHA256

      0c3002057247aaf88ae0d16f34021f5e9dc78a6da49f26e3e163089f7e912f85

    • SHA512

      02ee574a0bc3a36798a3a1729a16cfaaccec3c65fe54317680b2553b83ec316a927baeb4447d308366da49168dcbd44043ee6195424ac50feed546d995b83c67

    Score
    8/10
    executiondiscovery

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    behavioral25behavioral26

    • Target

      Files/Apps/logo.bat

    • Size

      3KB

    • MD5

      e96569aa0cc42136bd51bc79455c945b

    • SHA1

      cbb7839981a2b7a9576ea20600183e5f0b3fa23f

    • SHA256

      1b0d647d3f677db2b4bbb598ba9a1f78f5f1d4c5eeda104691a65679b18b7488

    • SHA512

      14343e6bd84f963bc68e45aae0a341c796b2d34a34ef274ce26684118221de5c9da2edba456332e6f95eebfb488890cc7a75e5501978fcc631025db63cc59a13

    Score
    1/10
    behavioral27behavioral28

    • Target

      Files/Apps/pcm.bat

    • Size

      474B

    • MD5

      bd94097bc383679f0b5e46c9e1a599ac

    • SHA1

      d362cf3a09e38cdb2f542ae5e3093475dae49b76

    • SHA256

      2dc448b242e53ae269bc700c03276ef2e523b01a0b91b6690ed3074b8133e376

    • SHA512

      95aa276c74491a00334ed5a33c808f19c200883a9f4caac559728a86334bc01865eacde01a302d587dfc20096c3667f9ccd00c618fbb2e04380460ca985cd3c0

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Powershell Invoke Web Request.

      execution
    behavioral29behavioral30

    • Target

      Files/Apps/ps7.bat

    • Size

      1KB

    • MD5

      b83b3e4786261c97aceb379ab170e81d

    • SHA1

      96d92ee43eac3e67ad6959b6f66012dcc51fd992

    • SHA256

      5741408cf05b802d5a67eab4ed0ec9cdf965b0fa718187eb3d72376b47dadb1c

    • SHA512

      d8bcab23933d4fdbd67089349861a5c95ff4ed2a823c647e647d5c8dc853d44e5a9d48d339937d11a3dcc3d5233f2b88fc2144733d1467eb528c6b63b85dcf63

    Score
    10/10
    dropperexecution

    • Blocklisted process makes network request

    • Download via BitsAdmin

      dropper

    • Executes dropped EXE

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

4
T1059

PowerShell

4
T1059.001

Persistence

BITS Jobs

1
T1197

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

BITS Jobs

1
T1197

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

Score
3/10

behavioral1

discoveryexecution
Score
7/10

behavioral2

discoveryexecution
Score
8/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

execution
Score
10/10

behavioral8

discoveryexecutionpersistenceprivilege_escalation
Score
8/10

behavioral9

execution
Score
8/10

behavioral10

discoveryexecution
Score
8/10

behavioral11

execution
Score
3/10

behavioral12

executionpersistence
Score
8/10

behavioral13

execution
Score
6/10

behavioral14

execution
Score
8/10

behavioral15

execution
Score
3/10

behavioral16

execution
Score
8/10

behavioral17

execution
Score
6/10

behavioral18

execution
Score
8/10

behavioral19

Score
1/10

behavioral20

discoveryspywarestealerupx
Score
8/10

behavioral21

execution
Score
3/10

behavioral22

discoveryexecutionpersistence
Score
8/10

behavioral23

execution
Score
10/10

behavioral24

execution
Score
10/10

behavioral25

execution
Score
8/10

behavioral26

discoveryexecution
Score
8/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

execution
Score
8/10

behavioral30

execution
Score
8/10

behavioral31

dropperexecution
Score
10/10

behavioral32

dropperexecution
Score
10/10