Overview

overview

10

Static

static

10

foo/0044d6...f7.exe

windows7-x64

1

foo/0044d6...f7.exe

windows10-2004-x64

3

foo/034e4c...a9.exe

windows7-x64

4

foo/034e4c...a9.exe

windows10-2004-x64

4

foo/035fa2...72.exe

windows7-x64

6

foo/035fa2...72.exe

windows10-2004-x64

6

foo/04884a...1b.exe

windows7-x64

7

foo/04884a...1b.exe

windows10-2004-x64

7

foo/06ed82...59.exe

windows7-x64

7

foo/06ed82...59.exe

windows10-2004-x64

7

foo/07470b...68.exe

windows7-x64

7

foo/07470b...68.exe

windows10-2004-x64

7

foo/078adb...c0.exe

windows7-x64

10

foo/078adb...c0.exe

windows10-2004-x64

10

foo/09e5c8...b4.exe

windows7-x64

3

foo/09e5c8...b4.exe

windows10-2004-x64

3

foo/0becfe...f4.exe

windows7-x64

10

foo/0becfe...f4.exe

windows10-2004-x64

10

foo/1a78d3...a3.exe

windows7-x64

5

foo/1a78d3...a3.exe

windows10-2004-x64

7

foo/1ffe82...a6.exe

windows7-x64

10

foo/1ffe82...a6.exe

windows10-2004-x64

10

foo/255028...e1.dll

windows7-x64

3

foo/255028...e1.dll

windows10-2004-x64

3

foo/27601d...cc.exe

windows7-x64

7

foo/27601d...cc.exe

windows10-2004-x64

7

foo/27f911...49.exe

windows7-x64

10

foo/27f911...49.exe

windows10-2004-x64

10

foo/28408c...c5.exe

windows7-x64

10

foo/28408c...c5.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

  • Size

    148.2MB

  • Sample

    241221-wcbf1svlgs

  • MD5

    875294d0dba88dbc80c33a5cbb110b41

  • SHA1

    3727db2a114f7302be5d5a3ef212bc0922060346

  • SHA256

    46dc49be65d7165e2a6009854a4f27f0088230199e61e0555cb1bd266535874a

  • SHA512

    4482e49c33c076cbde30a4da9c7283ef9cc67ae3ae75d9217ea402c206f6fc82aa4ffe90b76ab18c79cda6a7c1e302c02abda6736d594df2b2db273d013e07ab

  • SSDEEP

    3145728:w0nOB9p1TEOzCfe/rMucwDUsf/xv6i+BpJA2zDI5HWhLnYEiU53i9dFzH:w1AOzKqnqsf7+BXAigHW/RCH

Score
10/10
betabotcobaltstrikegoziimminentlimeratlokibotmodiloaderqakbotwarzonerat01535648626aspackv2backdoorbootkitbotnetcollectiondefense_evasiondiscoveryevasionexecutioninfostealerisfbpersistencepyinstallerratspywarestealertrojanupxvmprotect

Malware Config

Extracted

Family

cobaltstrike

Botnet

0

C2

http://www.google.com:443/__utm.gif

Attributes
  • access_type

    512

  • beacon_type

    2048

  • crypto_scheme

    256

  • host

    www.google.com,/__utm.gif

  • http_header1

    AAAACQAAABJ1dG1hYz1VQS0yMjAyNjA0LTIAAAAJAAAAB3V0bWNuPTEAAAAJAAAAEHV0bWNzPUlTTy04ODU5LTEAAAAJAAAAD3V0bXNyPTEyODB4MTAyNAAAAAkAAAAMdXRtc2M9MzItYml0AAAACQAAAAt1dG11bD1lbi1VUwAAAAoAAAAoSG9zdDogdHJhbnNsYXRlc2VydmljZXVwZGF0ZS5hcHBzcG90LmNvbQAAAAcAAAAAAAAACAAAAAIAAAAGX191dG1hAAAABQAAAAV1dG1jYwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAAAgAAAAZVQS0yMjAAAAABAAAAAi0yAAAABQAAAAV1dG1hYwAAAAkAAAAHdXRtY249MQAAAAkAAAAQdXRtY3M9SVNPLTg4NTktMQAAAAkAAAAPdXRtc3I9MTI4MHgxMDI0AAAACQAAAAx1dG1zYz0zMi1iaXQAAAAJAAAAC3V0bXVsPWVuLVVTAAAACgAAAChIb3N0OiB0cmFuc2xhdGVzZXJ2aWNldXBkYXRlLmFwcHNwb3QuY29tAAAABwAAAAEAAAAEAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • pipe_name

    \\%s\pipe\msagent_%x

  • polling_time

    60000

  • port_number

    443

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+xef42wyX1NAUR5Ukrnj2L8wg2GQ3+zg6SV5+gTlXxdgo8apUHH/mtKv7A+Fa5aReI1QBvVbMdkwq7A1YwJpBtFUBouokiqs8MjBWWrcftqQno/goPu3jDA1eHNyB8Hn+E4URKzRBBwQBduCA6fvUK83z/jAh062sZrZaFGE6dwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    6.71092736e+08

  • unknown2

    AAAABAAAAAIAAAAPAAAAAgAAAA8AAAACAAAACgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /___utm.gif

  • user_agent

    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)

  • watermark

    0

Extracted

Family

qakbot

Version

322.368

Campaign

1535648626

Credentials

  • Protocol:     ftp
  • Host:
    37.60.244.211
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    4AsEzIaMwi2d

  • Protocol:     ftp
  • Host:
    198.38.77.162
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    kJm6DKVPfyiv

  • Protocol:     ftp
  • Host:
    61.221.12.26
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    346HZGCMlwecz9S

  • Protocol:     ftp
  • Host:
    67.222.137.18
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    p4a8k6fE1FtA3pR

  • Protocol:     ftp
  • Host:
    107.6.152.61
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    RoP4Af0RKAAQ74V
C2

190.185.219.110:443

73.74.72.141:443

65.116.179.83:443

50.198.141.161:2078

70.183.154.153:995

68.49.120.179:443

70.94.109.57:443

24.45.54.50:2222

190.80.21.204:2222

216.201.159.118:443

74.88.210.56:995

75.189.235.216:443

47.48.236.98:2222

68.59.209.183:995

75.3.101.153:443

108.17.25.169:443

185.219.83.73:443

184.180.157.203:2222

207.178.109.161:443

174.48.72.160:443

Extracted

Family

limerat

Attributes
  • aes_key

    12344321

  • antivm

    false

  • c2_url

    https://pastebin.com/raw/7m5Ddsgv

  • delay

    3

  • download_payload

    false

  • install

    true

  • install_name

    svchost.exe

  • main_folder

    AppData

  • pin_spread

    false

  • sub_folder

    \system\

  • usb_spread

    false

Extracted

Family

gozi

Extracted

Family

warzonerat

C2

smartconnect.duckdns.org:39

151.80.8.32:9090

Extracted

Family

lokibot

C2

http://clogwars.com/~zadmin/lmark/seng/link.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Targets

    • Target

      foo/0044d66e4abf7c4af6b5d207065320f7

    • Size

      127KB

    • MD5

      0044d66e4abf7c4af6b5d207065320f7

    • SHA1

      07e73ac58bee7bdc26d289bb2697d2588a6b7e64

    • SHA256

      b6d19c3e6e82bbde62984f50144ce4d98a18871374ec5d313489d5831317c480

    • SHA512

      25633ea2e3cc78262ba69de30d2d3b7f6c013ce3bcbad2eda3c424ac50d7c0b7169372c5ad2b2cd81748ea0622f3db5ba3429f0d3ecfd3feabbfc65d961af5dd

    • SSDEEP

      3072:Z81clNypY+TjMulQXTR5aJPh7w/1VOCINO2L2Sy7CU9/7NXeLKo1tjv:ZAclNyW+PtqR5M7o1VP+2R7CU9DNXemu

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      foo/034e4c62965f8d5dd5d5a2ce34a53ba9

    • Size

      416KB

    • MD5

      034e4c62965f8d5dd5d5a2ce34a53ba9

    • SHA1

      edc165e7e833a5e5345f675467398fb38cf6c16f

    • SHA256

      52cb02da0462fdd08d537b2c949e2e252f7a7a88354d596e9f5c9f1498d1c68f

    • SHA512

      c2de626a339d21e5fd287c0e625bca02c770e09f9cad01005160d473164fa8edc5fc381b6ddd01293bdd31f2d7de1b0171674d12ec428e42a97d0ed0b7efb9dd

    • SSDEEP

      6144:FP/443+dYgkzGGbeX3xHLTpyrPqWTdpcZnrPNmZMiTwvHuQaDqIZ3oOk:Fo4OyxbeH15ynTdpcPsZlwG1DqIZ1k

    Score
    4/10
    discovery
    behavioral3behavioral4

    • Target

      foo/035fa2f2fae0a8fad733686a7d9ea772

    • Size

      291KB

    • MD5

      035fa2f2fae0a8fad733686a7d9ea772

    • SHA1

      411ee99b26bb612b1905b0c7254129fb1dd0cb56

    • SHA256

      f823ee1362132d0c4cb632829abbaae16b7ae8f938e86a10bdab3897e4f5dc8c

    • SHA512

      9a58f3b940e83e79fd7c7353b8d20947ab45ee48c617217f7c5ac58b1a0d0b5904eda1d49eb118a55f309291055b50b4710a6ab598ae5b29bbb6ff541ab599f1

    • SSDEEP

      6144:hU/fPSy2JA1hNbd+DBkY4vfZq05OW9ZA8rkjos1qLej:hk3Sy2JIhNbdEkxvfZNT9ZA8rEos1Rj

    Score
    6/10
    discoveryupx

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral5behavioral6

    • Target

      foo/04884a82d01d733f245d921e1f74fb1b

    • Size

      2.9MB

    • MD5

      04884a82d01d733f245d921e1f74fb1b

    • SHA1

      975c743feccce12419d4d72f26c2d44c8591118a

    • SHA256

      e3d13acdbf704b60569fad130fec670ff20d99183fb4bfb32f339dd3138a5f2f

    • SHA512

      c7f26c9656a14a2865da01e7903f29b2474e5fb3bb7a054d09fdd7ea476f7c3666bf4b3fc87e676c4829c0f51942273bb8161b448e42246898985874389a072c

    • SSDEEP

      49152:Iv/bcmHcai2ga/yK3MSrNkd+YDSIT9Q3n4Ej5BHYDXTYPQnRxlP2RvTA7V0RZOr5:ccCcai2gaB3MN+YD44UHYDjYkh0vTA5X

    Score
    7/10
    bootkitdiscoverypersistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence
    behavioral7behavioral8

    • Target

      foo/06ed82e88e1f68cc08602d7cd8ec5f59

    • Size

      12.2MB

    • MD5

      06ed82e88e1f68cc08602d7cd8ec5f59

    • SHA1

      37d4750e5f22cc395dd721dd5df73aeccc095bb5

    • SHA256

      43eebbd84e92a99b2bbca0b578df68dc07756e2c5fe908c668ac8c69f934a7e5

    • SHA512

      63060f8723b2ad50b8bfc225af22156215d5362bcf4a3ad77d9fe9059414b8ba69679f5fcf83159da224f165a83ebee74a306300f41205a887a06ec0bb86f895

    • SSDEEP

      196608:2JFxZy4WBmUKUKWQNAmLiytHFjF6LNniJassnr5wc+snazcQ50OvvVpSIK28sWBj:23xU4RUKUKJdtTmuc/HpovrK28h2PA

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral10behavioral9

    • Target

      foo/07470b6ede84f02ec31ab0a601cdc068

    • Size

      199KB

    • MD5

      07470b6ede84f02ec31ab0a601cdc068

    • SHA1

      2ca5cc5bf36cf0dfc95a128267e5ca1bdead991b

    • SHA256

      c7307db0fdd462a0415cec9cb707045f575d28ae18f2db8efcedd7a2db3079ac

    • SHA512

      002bd7b302ce582ae8921f2613ab340a366a5928e32d1bddf6fbfc16f8fbde2ea93668775d418ea1b3375a32eff24d3f8e32a8f17d7549a743b545f873a0dab7

    • SSDEEP

      3072:kpHvK30WYWzVmPvrdGQ+lymBI60niKPC7UgkTDCChBZhBJ622EneWr6FLqL0duLZ:aPK30WYRhGQUceB+7hBEE5BoS

    Score
    7/10
    discoveryupx

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral11behavioral12

    • Target

      foo/078adb95b1a0a6449d8c4ece796deac0

    • Size

      349KB

    • MD5

      078adb95b1a0a6449d8c4ece796deac0

    • SHA1

      412cbff9af426e0af43b9b860150c7c30ebce654

    • SHA256

      94a65945d7cebe9755b6cb5cffe7139c848bcbbf5988b07a3d195c57f5e44a89

    • SHA512

      32b58760617c268de6571bae946d3757f021fc975e3546333371d1667e592057a71956578039e75ad953e8a8aff18d1f871e2fe360abe13a9866f1d56f5ea3e0

    • SSDEEP

      6144:yAxsgbpaLdswoKilzteZmMCip3LKcv3zgiltla6k1PJvn1KcxFT9fGMWd0i6d:xxsgbodsp8CiZvdtWxBxni6

    Score
    10/10
    imminentdiscoveryspywaretrojan

    • Imminent RAT

      Remote-access trojan based on Imminent Monitor remote admin software.

      trojanspywareimminent

    • Imminent family

      imminent

    • Drops desktop.ini file(s)

    behavioral13behavioral14

    • Target

      foo/09e5c88a0592763e0c4f30fb88d663b4

    • Size

      713KB

    • MD5

      09e5c88a0592763e0c4f30fb88d663b4

    • SHA1

      939a8f3e7477ce8ee6406ac2b8aa58bd8399e1b4

    • SHA256

      9aac9319312f83811ad3ee68cd0ae467c088fa484ce921271be0382dc0d027fc

    • SHA512

      aa8aaa125fc6a47db42b882c960dc52e16df2a308675382f761a66060da414c26345fa526c92e322104b563372f7de6c305645d7a626fd5e4b5c100bdaba089b

    • SSDEEP

      12288:pm7rT6mQx4N59TwblV37IQSMH4mdea/71GR3An0XXXj:EPQx4NTTwbDaMYEd1T0XXXj

    Score
    3/10
    discovery
    behavioral15behavioral16

    • Target

      foo/0becfedf4d0b9ad5251aca33274a4cf4

    • Size

      443KB

    • MD5

      0becfedf4d0b9ad5251aca33274a4cf4

    • SHA1

      5d6faf04a6215b08988f289373f3b239d5878d06

    • SHA256

      235b35c4574f4d28ac034e7fbd4827384f6243d591d1d1bd76e320905f5b0242

    • SHA512

      0e835c83ff46c74acf6140bd434666ddffd2c0aa9875fc9899daff62b473ab98ee0947c226e9ffd8c4322b418574e9f5e2d2d32415b232667921c3db404dcd35

    • SSDEEP

      12288:ONWz1AUZbht1FGdX3HLbDLuibinIrwBtTZG:OQzO8bhOLy04IrytI

    Score
    10/10
    aspackv2discoveryevasionpersistencetrojanupx

    • Modifies WinLogon for persistence

      persistence

    • Modifies firewall policy service

      evasion

    • Modifies security service

      evasion

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral17behavioral18

    • Target

      foo/1a78d313f2891bd468f78694814a28a3

    • Size

      5.5MB

    • MD5

      1a78d313f2891bd468f78694814a28a3

    • SHA1

      7b10daf92b6bb599c68379909fbc951955e9335e

    • SHA256

      b8953f266d0ec05808dd5ba4799986c61bfc4d6e5308b0da84cbc8afe19de4df

    • SHA512

      4a9d76516888a4abff4acb29712abdc65674d5a9a3e69b0e30fa0cf815267d7d45f02d4879383232eb44c5503256af3adc4cb3db201e603816ccc983666475cb

    • SSDEEP

      98304:Dmh23PSP6k8KyY/M4cX4yMltBlj6f9BkcmxPy8Wfenuy0f:DmhP8KL/M48D8Tgf9ecmBpK

    Score
    7/10

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral19behavioral20

    • Target

      foo/1ffe827beb75335731cb6f052a8ec3a6

    • Size

      468KB

    • MD5

      1ffe827beb75335731cb6f052a8ec3a6

    • SHA1

      381ff47af182f52185fe2ff8d01453c5f611b04a

    • SHA256

      bf26329c083407931e46c85220e294904dc532e1095823290c04537f15316e47

    • SHA512

      fe1d68657aa99cb2949aa4aee3c12a70ba4f1fa9542f4606fb6a63627c593c74ce2188ebba15c2e366d8c79c4591e2bc048505abf4eed16d156a9b2ecf6334c8

    • SSDEEP

      6144:ZwHqhYmLOrI+BjYuWRgUTxSXL12tkfkPIW0X7YV:67mLOrIqj0RhwXikfJ7

    Score
    10/10
    warzoneratdiscoveryexecutioninfostealerpersistencerat

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzonerat family

      warzonerat

    • Warzone RAT payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral21behavioral22

    • Target

      foo/255028f2f37838e92f84f27c68aaf4e1

    • Size

      536KB

    • MD5

      255028f2f37838e92f84f27c68aaf4e1

    • SHA1

      64e6d06aba93b91fbda44364278f2a91e91c6cf3

    • SHA256

      db04d912a4fa503b27bea546ca8160b040e3eaf8eabfa5ee0dc30b64738976e2

    • SHA512

      be1f9a5005c9c446a100891c9c955336e011ba550ca7c1f5dd4dd9c3f3041ff20fa30445f117331b6d121b0e89361bead40b981c50f01ce185fa3acf2b7d00d8

    • SSDEEP

      12288:oifFSc//DgKiS6ffx1qmcZrUEy5z4m2ixLCrXxsXTH3OFW:owFkKH6f5cZrUEyJ4mAkOFW

    Score
    3/10
    discovery
    behavioral23behavioral24

    • Target

      foo/27601d095e5b3761d9289584415a73cc

    • Size

      565KB

    • MD5

      27601d095e5b3761d9289584415a73cc

    • SHA1

      9570f23b5abe2ef46a23ded17adb2fb6c203a201

    • SHA256

      749f5e042b317dc4e989c174d92936ef83d9d4fbf4c190f0e5b759b858b15cf4

    • SHA512

      066263bf8f11d48b4e3715b8962686e0ca32aa8647b642a193b5331513538a44bb49edad5ef6a08ae6cc6401504fadc7adf38efb07c9ae9560e947aac443e0e7

    • SSDEEP

      12288:REqmA0wfzInoQJUi1KHvQtzDNfo1arLaLRvs+Jkp/eH:RHmSyo+Ui13zZCI7+up/eH

    Score
    7/10
    discovery

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery
    behavioral25behavioral26

    • Target

      foo/27f9116902c35a9b784c703762bbd249

    • Size

      1.3MB

    • MD5

      27f9116902c35a9b784c703762bbd249

    • SHA1

      1f398a7f5bb032a30c2207e5e692524691b8a09e

    • SHA256

      548b424bedcb831086fb9ab5b6e284a7a71a53e430acad99155153a869844570

    • SHA512

      c046022a16f572eda5f60484d61190491579ee0d9d883d8f760859bbde0730dcfe4a603f847162d8901f6a87140da6a9c53134e8b7c2f9fa6192584765e94ff6

    • SSDEEP

      24576:aCdxte/80jYLT3U1jfsWarh061/ZfElRw0bMQ0j:7w80cTsjkWarx/ulA

    Score
    10/10
    betabotbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan

    • BetaBot

      Beta Bot is a Trojan that infects computers and disables Antivirus.

      trojanbackdoorbotnetbetabot

    • Betabot family

      betabot

    • Modifies firewall policy service

      evasion

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Indicator Removal: Clear Persistence

      remove IFEO.

      defense_evasion

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      foo/28408caa2961caecd35c9f8f7c1aecc5

    • Size

      290KB

    • MD5

      28408caa2961caecd35c9f8f7c1aecc5

    • SHA1

      2df15d3bc4f7623ca3a18665b3c666ec8b70baa6

    • SHA256

      fe99d5ab8be0c9830fd97c1ed127b0c236da75b43a42a58fcd46cb8d46dc3c34

    • SHA512

      a4fdb80d3ac39a2fa46f19c8b5a803ded144e97dd7a3f194177ddaba15b8e0a0486e7b4de2e8c9c957eac4398487fe5872e54ad8e866e68e0beb283c937d0cbd

    • SSDEEP

      6144:b5KkIbWDMN39nN0p7BWlC3xIhKyraXPkawcEK7ii2tW:YkIQMRLrl+IBUPkaWi2tW

    Score
    10/10
    lokibotcollectiondiscoveryspywarestealertrojan
    behavioral29behavioral30

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    3/10
    discovery
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

4
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

3
T1562.001

Indicator Removal

1
T1070

Clear Persistence

1
T1070.009

Modify Registry

11
T1112

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Peripheral Device Discovery

3
T1120

Query Registry

8
T1012

System Information Discovery

9
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

upxaspackv201535648626pyinstallerisfbratvmprotectcobaltstrikeqakbotlimeratgoziwarzoneratmodiloader
Score
10/10

behavioral1

Score
1/10

behavioral2

discovery
Score
3/10

behavioral3

discovery
Score
4/10

behavioral4

discovery
Score
4/10

behavioral5

discoveryupx
Score
6/10

behavioral6

discoveryupx
Score
6/10

behavioral7

bootkitdiscoverypersistence
Score
7/10

behavioral8

bootkitdiscoverypersistence
Score
7/10

behavioral9

discovery
Score
7/10

behavioral10

discovery
Score
7/10

behavioral11

discoveryupx
Score
7/10

behavioral12

discoveryupx
Score
7/10

behavioral13

imminentdiscoveryspywaretrojan
Score
10/10

behavioral14

imminentdiscoveryspywaretrojan
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
3/10

behavioral17

aspackv2discoveryevasionpersistencetrojanupx
Score
10/10

behavioral18

aspackv2discoveryevasionpersistencetrojanupx
Score
10/10

behavioral19

Score
5/10

behavioral20

Score
7/10

behavioral21

warzoneratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral22

warzoneratdiscoveryexecutioninfostealerpersistencerat
Score
10/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
7/10

behavioral27

betabotbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan
Score
10/10

behavioral28

betabotbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan
Score
10/10

behavioral29

lokibotcollectiondiscoveryspywarestealertrojan
Score
10/10

behavioral30

discovery
Score
7/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10