General

  • Target

    UltraDropper.exe.malw

  • Size

    2.1MB

  • Sample

    241222-m171fsvqbz

  • MD5

    28c3eb32ab4185ac84acaa304315a603

  • SHA1

    4bffa15026ea67110268ef0178309efcb790e105

  • SHA256

    9502b25ab65e010a527de6fe78d6a7779fa9d0cd885041a7d65c7a275c4f4122

  • SHA512

    4b5cfaef9bdc145f34a80f0da92358514172290285106afdb6dc0efdb442d9ca327fbdbf614805299a0db9fed704182ee32e6de0ac392062ecd2fba8b78464c1

  • SSDEEP

    49152:TW2vZKbn0KJrgcvZ4dvTrRpjgYhNWue0CJAoc:9vZKrJ5vZ4drfgYOfQ

Malware Config

Extracted

Family

eternity

C2

http://eternityms33k74r7iuuxfda4sqsiei3o3lbtr5cpalf6f4skszpruad.onion

Attributes
  • payload_urls

    https://raroford3242.xyz/myupdate.exe

    https://raroford3242.xyz/Sklmsstregens.vbs, https://raroford3242.xyz/remcexecrypt.exe, https://raroford3242.xyz/redlcryp.exe, https://raroford3242.xyz/racoocry.exe

    https://raroford3242.xyz/myupdate.exe

    https://raroford3242.xyz/myupdate.exe

Extracted

Family

emotet

Botnet

Epoch5

C2

178.238.225.252:8080

139.196.72.155:8080

36.67.23.59:443

103.56.149.105:8080

37.44.244.177:8080

85.25.120.45:8080

202.134.4.210:7080

78.47.204.80:443

83.229.80.93:8080

93.104.209.107:8080

80.211.107.116:8080

165.22.254.236:8080

104.244.79.94:443

185.148.169.10:8080

190.145.8.4:443

175.126.176.79:8080

139.59.80.108:8080

188.165.79.151:443

128.199.217.206:443

64.227.55.231:8080

ecs1.plain
eck1.plain

Extracted

Family

redline

Botnet

@dsadasdasd1

C2

45.15.156.155:80

Attributes
  • auth_value

    e2637596f93702084676494f7e0c2dfd

Targets

    • Target

      UltraDropper.exe.malw

    • Size

      2.1MB

    • MD5

      28c3eb32ab4185ac84acaa304315a603

    • SHA1

      4bffa15026ea67110268ef0178309efcb790e105

    • SHA256

      9502b25ab65e010a527de6fe78d6a7779fa9d0cd885041a7d65c7a275c4f4122

    • SHA512

      4b5cfaef9bdc145f34a80f0da92358514172290285106afdb6dc0efdb442d9ca327fbdbf614805299a0db9fed704182ee32e6de0ac392062ecd2fba8b78464c1

    • SSDEEP

      49152:TW2vZKbn0KJrgcvZ4dvTrRpjgYhNWue0CJAoc:9vZKrJ5vZ4drfgYOfQ

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Detects MyDoom family

    • Emotet

      Emotet is a trojan that is primarily spread through spam emails.

    • Emotet family

    • Eternity

      Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.

    • Eternity family

    • MyDoom

      MyDoom is a Worm that is written in C++.

    • Mydoom family

    • Njrat family

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    • Privateloader family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • RedLine payload

    • Redline family

    • Windows security bypass

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Disables RegEdit via registry modification

    • Modifies Windows Firewall

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks