Overview

overview

10

Static

static

10

flash ETH v.1.exe

windows10-2004-x64

10

S444.exe

windows10-2004-x64

10

SYS.exe

windows10-2004-x64

10

USDT Flasher.exe

windows10-2004-x64

3

ss32.exe

windows10-2004-x64

10

winlogoc.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    flash ETH v.1.exe

  • Size

    701KB

  • Sample

    241209-2yyfkazjhk

  • MD5

    d57ac3c31d7069ee6a76c3572f5c234a

  • SHA1

    e6f3b23343a9b716c7529d282a2322c1f528b576

  • SHA256

    e73c96538ec60c2117b6ed82b7f95f8894abed022ee9ab03c1be90ebd9722f06

  • SHA512

    cb4334c76c427305b9b83f2d110e75827c4a83d296679aa04876ccbfd35c7787014a914b722348c076f5d2a3f306f98fdced54ad967953af4ad25d3f3c9eb529

  • SSDEEP

    12288:YwEWeJxd5eyh4R0a6mQlRkORS2DNIWWo0dK+/rYtlsfhZDFyJ/b9A64YVNSANzNc:YBfneyh4R0NPRFXBJWo0dK+/sjkhZZyM

Score
10/10
asyncratr77stormkittyxwormdefaultdiscoveryevasionexecutionpersistenceprivilege_escalationratrootkitspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7170788789:AAFDgtgiOhG8owpmypRYbNLRYrxlniuiyIs/sendMessage?chat_id=6101540297
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

C2

SLL.casacam.net:4444

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    Interrupi.exe

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://github.com/NGROKC/CTC/raw/main/CTC64.dll

Targets

    • Target

      flash ETH v.1.exe

    • Size

      701KB

    • MD5

      d57ac3c31d7069ee6a76c3572f5c234a

    • SHA1

      e6f3b23343a9b716c7529d282a2322c1f528b576

    • SHA256

      e73c96538ec60c2117b6ed82b7f95f8894abed022ee9ab03c1be90ebd9722f06

    • SHA512

      cb4334c76c427305b9b83f2d110e75827c4a83d296679aa04876ccbfd35c7787014a914b722348c076f5d2a3f306f98fdced54ad967953af4ad25d3f3c9eb529

    • SSDEEP

      12288:YwEWeJxd5eyh4R0a6mQlRkORS2DNIWWo0dK+/rYtlsfhZDFyJ/b9A64YVNSANzNc:YBfneyh4R0NPRFXBJWo0dK+/sjkhZZyM

    Score
    10/10
    asyncratr77stormkittyxwormdefaultdiscoveryevasionexecutionpersistenceprivilege_escalationratrootkitspywarestealertrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Detect Xworm Payload

    • R77 family

      r77

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • r77

      r77 is an open-source, userland rootkit.

      rootkitr77

    • r77 rootkit payload

      Detects the payload of the r77 rootkit.

    • Async RAT payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral1

    • Target

      S444.exe

    • Size

      33KB

    • MD5

      17e158e0f91dcc8168f2e416035926ed

    • SHA1

      aac8bf1174db86568aab282b8a8de953c372ef1e

    • SHA256

      bb0ef384a2d6f8fff82eecd15908bd39146ffa65810c2c56934c32c88abac94b

    • SHA512

      383df3fa4eaecbfc6698961d3a8f5fe726db3e0cddf83f357bc9f2947328a284f4fe5b13f2eb866ea9c50eafbb5fc45b788b8401edffcbfc5bf068f545dd167c

    • SSDEEP

      768:WdQHdYES3hnpwEC/uc/zBaP09K737hNWhlLF:W7x8zgs9W37hMPJ

    Score
    10/10
    r77discoveryevasionexecutionpersistenceprivilege_escalationrootkitspywarestealer

    • R77 family

      r77

    • r77

      r77 is an open-source, userland rootkit.

      rootkitr77

    • r77 rootkit payload

      Detects the payload of the r77 rootkit.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    behavioral2

    • Target

      SYS.exe

    • Size

      226KB

    • MD5

      1bf114677a69802600ff29c5ce65f464

    • SHA1

      9d05e8414eea793f8260bfb05f359c9b056c7e43

    • SHA256

      57b0c0581e640d275739c192361ec44d4d2af6db1dc74ea4e7e77e1c5e666736

    • SHA512

      d111b149ef24c165976dd37a16e5525f73752a4f3ec66d0cf4faace019e27a8e09815655bbdfe428791dbda365e1172819a820df19d0a5647f21fcadf1afabe2

    • SSDEEP

      3072:S+STW8djpN6izj8mZw7qe73gROUbBK+QIuhuDGRTgVK6+Wpd:P8XN6W8mm7qeJUbopIIeK

    Score
    10/10
    asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    behavioral3

    • Target

      USDT Flasher.exe

    • Size

      775KB

    • MD5

      8584a85ec4f91388e65c963c2b458f33

    • SHA1

      023812da246e015601307c357cd4c685df28977c

    • SHA256

      a4c72195c7e45148d8c98c6a58c9c71dc480d496c2daad053b4bfab581225f62

    • SHA512

      b72bb8d9b842c145c5f3b0a2dfb9eac21e297c871388150386e5f74f4946e8a616e597a3d7a63eff8919789c9527f2f4e4861b4f76ff3713c80c292e9105e9f6

    • SSDEEP

      24576:2yGWSbe8meoiy7XlHEVVLaGWSbezGWSbey4RSbe:5X1EVVL

    Score
    3/10
    discovery
    behavioral4

    • Target

      ss32.exe

    • Size

      94KB

    • MD5

      cbe1be5547cc26f924d6fa48b4abca92

    • SHA1

      972f9afdb39425a4764be0a91552613e49eba7f3

    • SHA256

      549565dab31274ecd5370f02766116260e56390b405231ddaf3a7186395f1d9f

    • SHA512

      be567464ab80a4c00f7b499c1b645cf2ef301242a5feffad1b6dca8b2281f066a9f0ae63fbf8715c3e3c3b0dc6c8e1093d057ff245c5de5f8b39da37eb56a272

    • SSDEEP

      1536:GW4ZYDn38RoEv9fEonXRyoZX7rhC5Hg4P0lALoVrZ+hR40qvUusn47k:GW4Zs38pvBXn/nhgHg43LsUnqMusn47k

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral5

    • Target

      winlogoc.exe

    • Size

      72KB

    • MD5

      33fba80c2580eebf95e25dea03331f68

    • SHA1

      d0ed67fbbff537eb393206fc41c18d59b9a4bb3c

    • SHA256

      4cbe94aefe8a24ebac9fb5c11c1efc89c15b1a7b1a2bf3587baface318ee4b2b

    • SHA512

      8213c45c68a38984a2ad11ab0651ae9933dc538ff260e31753f2f9c3aacff038048bcf2680bb7993b5f4005f48ae7e5c74e7325bdf6ef20df1ae7aa58f7ae4bc

    • SSDEEP

      1536:UzF1OeqsJlPPf/TpX0bOc2yu/n+77QOI3taVwi4y:yFBibOL/nSsOI3tR5y

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

AppInit DLLs

1
T1546.010

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

3
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Wi-Fi Discovery

1
T1016.002

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks