General

  • Target

    UltraDropper.exe.malw

  • Size

    2.1MB

  • Sample

    241210-mmb1vstkfs

  • MD5

    6edf10f259e3cd59535b784f74d2835d

  • SHA1

    278298bd06ee27c9f6587db0138ac74bb62288fe

  • SHA256

    16f888bcab3a3b564f801f5792cc85f81ebb6b07ff1ee1a6443c34f89e4b7687

  • SHA512

    8036b4107ec818b06d363d026b19df4cf2a6f396d7690ec7845a9d66236a18a17ecaf934eab1891d7f0f6e327977144f5626e4185fc010ad7a9bf95ea78df878

  • SSDEEP

    49152:4W2vZKbn0KJrgcvZ4dvTrRpjgYhNWue0CJAob:wvZKrJ5vZ4drfgYOfP

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    https://raroford3242.xyz/myupdate.exe

    https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe

    https://raroford3242.xyz/myupdate.exe

    https://raroford3242.xyz/myupdate.exe

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE9C8agzYaJ1GMJPLKqOyFrlJZUXVI
3
lAZwAnOq6JrEKHtWCQ+8CHuAIXqmKH6WRbnDw1wmdM/YvqKFH36nqC2VNA==
4
-----END PUBLIC KEY-----
eck1.plain
1
-----BEGIN PUBLIC KEY-----
2
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2DWT12OLUMXfzeFp+bE2AJubVDsW
3
NqJdRC6yODDYRzYuuNL0i2rI2Ex6RUQaBvqPOL7a+wCWnIQszh42gCRQlg==
4
-----END PUBLIC KEY-----

Targets

    • Target

      UltraDropper.exe.malw

    • Size

      2.1MB

    • MD5

      6edf10f259e3cd59535b784f74d2835d

    • SHA1

      278298bd06ee27c9f6587db0138ac74bb62288fe

    • SHA256

      16f888bcab3a3b564f801f5792cc85f81ebb6b07ff1ee1a6443c34f89e4b7687

    • SHA512

      8036b4107ec818b06d363d026b19df4cf2a6f396d7690ec7845a9d66236a18a17ecaf934eab1891d7f0f6e327977144f5626e4185fc010ad7a9bf95ea78df878

    • SSDEEP

      49152:4W2vZKbn0KJrgcvZ4dvTrRpjgYhNWue0CJAob:wvZKrJ5vZ4drfgYOfP

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Emotet family

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • Eternity family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Windows security bypass

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables RegEdit via registry modification

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.