Overview

overview

10

Static

static

10

ItroublveT...SC.exe

windows7-x64

10

ItroublveT...SC.exe

windows10-2004-x64

10

ItroublveT...rv.exe

windows7-x64

9

ItroublveT...rv.exe

windows10-2004-x64

9

ItroublveT...ram.js

windows7-x64

3

ItroublveT...ram.js

windows10-2004-x64

3

ItroublveT...er.vbs

windows7-x64

1

ItroublveT...er.vbs

windows10-2004-x64

1

ItroublveT...es.vbs

windows7-x64

1

ItroublveT...es.vbs

windows10-2004-x64

1

ItroublveT...LI.exe

windows7-x64

1

ItroublveT...LI.exe

windows10-2004-x64

1

ItroublveT...re.dll

windows7-x64

1

ItroublveT...re.dll

windows10-2004-x64

1

ItroublveT...er.dll

windows7-x64

1

ItroublveT...er.dll

windows10-2004-x64

1

ItroublveT...ns.dll

windows7-x64

1

ItroublveT...ns.dll

windows10-2004-x64

1

ItroublveT...er.dll

windows7-x64

1

ItroublveT...er.dll

windows10-2004-x64

1

ItroublveT...me.dll

windows7-x64

1

ItroublveT...me.dll

windows10-2004-x64

1

ItroublveT...en.dll

windows7-x64

1

ItroublveT...en.dll

windows10-2004-x64

1

ItroublveT...ib.dll

windows7-x64

1

ItroublveT...ib.dll

windows10-2004-x64

1

ItroublveT...le.dll

windows7-x64

1

ItroublveT...le.dll

windows10-2004-x64

1

ItroublveT...le.dll

windows7-x64

1

ItroublveT...le.dll

windows10-2004-x64

1

ItroublveT...le.dll

windows7-x64

1

ItroublveT...le.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_8347a7ae54a9a8023fe9fe3b4ab8c877b588c461ba8d7bcd26df4a6ac6688b39

  • Size

    20.7MB

  • Sample

    241224-a8trksxkhm

  • MD5

    60b8a2a0d3abeffb4ede4d9da39ce5f0

  • SHA1

    7b7f505d1069046a4113afa522c01162200c9d07

  • SHA256

    8347a7ae54a9a8023fe9fe3b4ab8c877b588c461ba8d7bcd26df4a6ac6688b39

  • SHA512

    710560349833ffbbf99416b090888d492821acb01b654791a8de9dca1ca6a967af4dc6a4b3bd13c128c47c5c8004b6ce90084d19e91289b4f2ca390fd87f2cf2

  • SSDEEP

    393216:7aGW0dhhIoJ/og/AOs3rOrDPy5xuYWITnDK8hab6ibqSHRFSNEPzLi3nQRSKzHi:uGWiF/ookSrDPy5pWITDhMb6X0RFIiv6

Score
10/10
asyncratmodiloadernjratdefaulthackeddiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

zzzpmax.ddns.net:6666

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

njrat

Botnet

HacKed

Mutex

53$79$73$74$65$6d$33$32

Attributes
  • reg_key

    53$79$73$74$65$6d$33$32

  • splitter

    |-F-|

Targets

    • Target

      ItroublveTSC.6.1.3/ItroublveTSC.exe

    • Size

      20.2MB

    • MD5

      009ccbe83baac45b58b4d68cc6c38dad

    • SHA1

      3ddef3044c1ff7eddcd8c342f54f8fa3b92bdbae

    • SHA256

      d6568b81da1c122667dfae75d8383bf93a07d4334df37b8b443463874d03fa94

    • SHA512

      57ff97490ecfb426d0d87397a5c075d9f9f499f0bd8785c573032f8d9b70c7f9457a5d4253d15c223b36882fdfa14dbb978f27cabe7066c277bc85e09cca31ea

    • SSDEEP

      393216:JyDn6besFfMj2DPPHtvEK15iDaXDXLybnk:4DYLLHtvEZaXLyg

    Score
    10/10
    asyncratmodiloadernjratdefaulthackeddiscoveryevasionpersistenceprivilege_escalationpyinstallerrattrojanexecutionspywarestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • Njrat family

      njrat

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Async RAT payload

      rat

    • ModiLoader Second Stage

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      ItroublveTSC.6.1.3/bin/Binaries/RtkBtManServ.exe

    • Size

      4.4MB

    • MD5

      3405f654559010ca2ae38d786389f0f1

    • SHA1

      8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

    • SHA256

      bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

    • SHA512

      cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

    • SSDEEP

      98304:lQf3s64R9ybzUcwti78OqJ7TPBF3ZlHHgkWJ0P39qXSaDv:ozUcwti7TQlF3ZxxWJSUnDv

    Score
    9/10
    discovery

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    behavioral3behavioral4

    • Target

      ItroublveTSC.6.1.3/bin/Program.cs

    • Size

      6KB

    • MD5

      fb91a042af865080b1068f1e345ca124

    • SHA1

      40ffd430fde179a103b19ef728a33d3da88d9c6f

    • SHA256

      e13a25cc5f69e4e9747e577f60f73f33eca48899caa85331f5c61ecbd1b61910

    • SHA512

      c12420afc7ddbc30f62a3e295939de0744dd50a8d78da0041eaabd378af1e2152cb363329efdeca70503d416c04642eb666bc1c4b983ea57639a7ac5bf189a6a

    • SSDEEP

      96:JoUyFXO4DV0VJ0BnRjEK+MaCH+YetqXOg6SBqxdHboQqrARSYRBIhWHz5I+I0:opNfjEK+MDH+Yesv6Sgx5oQqrVeIw+Y

    Score
    3/10
    execution
    behavioral5behavioral6

    • Target

      ItroublveTSC.6.1.3/bin/Properties/Resources.Designer.cs

    • Size

      2KB

    • MD5

      4b5b77878a69b99dfadac9397aa8abe6

    • SHA1

      5ffbcc33ced8c2e4ad539970cebac4a8c0f26877

    • SHA256

      a2c9f7982cc24f564ceb46be08dcd73985d490a249153700e0b5ecb1fa5c58c0

    • SHA512

      70b3294ba2ea399967d818e723692787d77580fd6a4bbcd66e8e0051660ad1a2d76241a9520140f8f28fbde645ee42ea1c6e08e660ce64c3d0b6978355557d03

    Score
    1/10
    behavioral7behavioral8

    • Target

      ItroublveTSC.6.1.3/bin/Properties/Resources.resx

    • Size

      5KB

    • MD5

      0cd8c971317d19bbed44757809bcb92b

    • SHA1

      47b15748ecc8e952c5935170090db7c269ce4b4f

    • SHA256

      66b5ebd1b0fc73f041ba669ce2184f6f471d5e3524efa34ca31233e9f5395262

    • SHA512

      883dba84bf7daae3ea49f9d54c13dda4f125da82ba63f90eeba0900602896ad9492a0adf7b69b67d838034090af20926af5c2934797afaadb38aa069786c1fc6

    • SSDEEP

      96:fijrkiK5k5LPXbac9m5Lv6FzSvd4gIRjETUT200qSdvabvDIwQBugqvA:KjrbLPD9sLvIzSvKgIqUEa2

    Score
    1/10
    behavioral10behavioral9

    • Target

      ItroublveTSC.6.1.3/bin/obf/CLI.exe

    • Size

      30KB

    • MD5

      a6f83da2bfe041d92ff79b9c238ed72e

    • SHA1

      ac12c6e8973f0f64d1395523fdcfcd0d73856128

    • SHA256

      0b997165e348b17658bef1e869881c37c79c2a9bb26e132ac4141eefd5912652

    • SHA512

      9ce5c2825848d360a07c9555bd940ceaf9c598dbf55f99fa783bbc47ca55dc375f562f29dc94e767ccd0f94120e37be90ad055ea22d353c283b0d3992df36e84

    • SSDEEP

      384:AtQiJWE1r0K0vYzZBgB1P5AkWFq7UQweltaJVuTlVKMwW7nj8VtDVth7WAl9MWod:biJWE1QzvYz/K1yXqYQ8VuAwbfVogxq

    Score
    1/10
    behavioral11behavioral12

    • Target

      ItroublveTSC.6.1.3/bin/obf/Confuser.Core.dll

    • Size

      186KB

    • MD5

      6f3e120baa644b4dc085a3dd3e183bcf

    • SHA1

      3f7dbdd082447910be5b31cc80ca5cb64f6339c7

    • SHA256

      4742104d8e47541ed998d22321717d288cd62682b56f56f4a69dc9bd99c9a6fb

    • SHA512

      b42cc08f9e32f0e5ac760bc0af517d2b0e7bf469421faead3d33e7e07d24d538046ea912badc196f83badb5b1dc07b4f0141b8a09723dedf7c16628075963812

    • SSDEEP

      3072:GZ9cy/5Jxj5XhlgUmSae1DxMRqXYjKO02cDTi+P1sR+Fna1R1RjYdfc:GZ9cyhJ95XhlgUmSaevwj1pcDH/uL

    Score
    1/10
    behavioral13behavioral14

    • Target

      ItroublveTSC.6.1.3/bin/obf/Confuser.DynCipher.dll

    • Size

      48KB

    • MD5

      6ebc90e77623826e71ded623a296660b

    • SHA1

      4fa7b0dc7582e03a7af6f41cba70b41f3aa5df15

    • SHA256

      cdad0a76f0d3f3e73fcdc6e5e6d98b0e88adcc2353c54344375b80197a86fcf6

    • SHA512

      a40dea9f56ce29c6d7c3022d6b09b164dfbc2c294b5ebf7869504cf9010d2dc844a371c6d753afe8851b1eb82e7373736bd68a1430a826ded3b74ca3628ccab2

    • SSDEEP

      1536:yV4R9J9YnzpSx6dZV0c+NQJOwEhy8bb30aatJILhopNfmxr:yLnzpSx4ZV0c+NQJOwEhy8bb30rJuhoI

    Score
    1/10
    behavioral15behavioral16

    • Target

      ItroublveTSC.6.1.3/bin/obf/Confuser.Protections.dll

    • Size

      205KB

    • MD5

      a23e80a09e14a6c1ffa3c89cd7af7229

    • SHA1

      b1d45de9673e85b255096ec54e513a06212e4f15

    • SHA256

      a5b10ee104e225fbcdfa9f8024701674d9a4556f4e59b90a90a972724ba15bb9

    • SHA512

      0ba96fce7702829d44e7da9b9df3da0b0655098f719c0c25f683f7760ab4b819d079a2fff04fdb7cd5d8dfb7a571689b070a2a5358d9eee930a56c4c9605db44

    • SSDEEP

      6144:xAF9fU+KCm9QQmNBCrCmnTH3/JopinC5:xS

    Score
    1/10
    behavioral17behavioral18

    • Target

      ItroublveTSC.6.1.3/bin/obf/Confuser.Renamer.dll

    • Size

      310KB

    • MD5

      e1656b7bfd3b7c9634f72c4f9085d226

    • SHA1

      46977837049a8009e18f096d2531ae2fed02ab42

    • SHA256

      4ce9a9f15724b17da414c4aad7b7bfbba0fd1b80e3d0b8452551d5f79fd32b50

    • SHA512

      f8c4aa1cbfb9bb78eaa35608815079216f88c7d74185112d76e0125946cf39d32ff7cd60796223764daca624b03d79febd90ac342dfc315579a1d57eea5d3687

    • SSDEEP

      3072:89nS3lQOaZ1rk8g6t8ZSv05Wa59XVGcxnLa3+qnOw9n/La9pwtgSfHxE1thSv3Vk:89SijrhZLg1r12BOw9n/zJvNjL

    Score
    1/10
    behavioral19behavioral20

    • Target

      ItroublveTSC.6.1.3/bin/obf/Confuser.Runtime.dll

    • Size

      49KB

    • MD5

      42e45fa8bb26246ed3b3c2760e782912

    • SHA1

      fa49baf5f55cc5af7eed27b9547305780a7e4ddc

    • SHA256

      c8bcbe8c706659824ed001caf0be23b8470a99c0391a23c419884ad93df3cce0

    • SHA512

      f89c328bff75a25a636d0567f9dd0df00494c3156b24fe029677368a349367bea9b3bd0571a79eae94112e694161c1658fc8e8e25076a8b9cb7c4e539944fd21

    • SSDEEP

      1536:E/XNRvuA5rTGZcIDEG3mmmmH/flJDnJod:YXDZYSGfLrJQ

    Score
    1/10
    behavioral21behavioral22

    • Target

      ItroublveTSC.6.1.3/bin/obf/Teen.dll

    • Size

      45KB

    • MD5

      fb9d14387b89b30606d094ae8cd93ea0

    • SHA1

      8f21ac1b24fe1072a9d9ad17eabc738bac23ef58

    • SHA256

      68eac14ca256f9871cc85ffc77c86b1d6378e6c900dff34f8b697be07b77446a

    • SHA512

      17e9af55a1967884645e5b30abed374b51c28e173160e369b422ef385a1de9bdb76ef38c740e905629932481421d213ac90589d1bc1c1901c312c3271c75a63e

    • SSDEEP

      384:6bcg3oHfkx4rxym37Bg4X0HuViEIXPdzJQKDckw6NhU0Pe4oannzXgvijJFWMHJs:lLSDDzgvijTlHJxKbBCxPULcBVDDQ

    Score
    1/10
    behavioral23behavioral24

    • Target

      ItroublveTSC.6.1.3/bin/obf/dnlib.dll

    • Size

      1.1MB

    • MD5

      e61bad0331819ed63ca3b0d537f7e1a1

    • SHA1

      30c2b5c5e0a1564b88349fe952abdaf19f500c7d

    • SHA256

      d8fc78217493febe82670c5a93feb85ab86fc6a0387abcb6e9165e0c0bb97000

    • SHA512

      fba44931b1af1f23bb0bf011b73378a1a76cacecf53e6d48de5e027742961f5e76add9d5a11410a203b8ec6026cfaacab0dbd5f1bb91f58bb3447dacf6a24661

    • SSDEEP

      12288:sUHb3PIKxNNhFNxxq6iNq3JaxOCDmuGnjlHesWnuRyKh0ZUvz/sPv7fIFZ:lKzkuWhHDWKMA/sPv7fI/

    Score
    1/10
    behavioral25behavioral26

    • Target

      ItroublveTSC.6.1.3/bin/packages/System.IO.Compression.ZipFile.4.3.0/lib/net46/System.IO.Compression.ZipFile.dll

    • Size

      24KB

    • MD5

      dcda916372128f13ada8b07026c1b3e7

    • SHA1

      99d6c187de8510206a93d2eed9c65e65e0c86e72

    • SHA256

      b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a

    • SHA512

      d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9

    • SSDEEP

      384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa

    Score
    1/10
    behavioral27behavioral28

    • Target

      ItroublveTSC.6.1.3/bin/packages/System.IO.Compression.ZipFile.4.3.0/lib/netstandard1.3/System.IO.Compression.ZipFile.dll

    • Size

      28KB

    • MD5

      65306815825ea8652d0ee2163d123d14

    • SHA1

      e8eaee6e9ae5fcdbd19b056856ba0d8424243e28

    • SHA256

      db7cb3cf25d563e85a287a77d0c9addf6dbc1907475330a173f4cccc1ca0e6ed

    • SHA512

      cd649101439099ce741d4c1a1334ce8bd9283d6531585047b64138b533e742808d1097e9419a3936e4939e1d4193488e0451291f4d56d70931e2d87a04239646

    • SSDEEP

      384:Our1AxpitMy7y4eCgW3mWoQ7q0GftpBj3zDvERHRN7lX1l78oWCmtPa:xr183CziprEBRzek

    Score
    1/10
    behavioral29behavioral30

    • Target

      ItroublveTSC.6.1.3/bin/packages/System.IO.Compression.ZipFile.4.3.0/ref/net46/System.IO.Compression.ZipFile.dll

    • Size

      24KB

    • MD5

      dcda916372128f13ada8b07026c1b3e7

    • SHA1

      99d6c187de8510206a93d2eed9c65e65e0c86e72

    • SHA256

      b5c12e9099643e2eda9b49edd0d98bdaed153c72a7e8e6235d8e78714402d16a

    • SHA512

      d66de5d61cf7090ce2e11ca8064723a44c2fdbd7ed937f1cf4198ebe13083037941b816ad9022d332bbb853666785600fa8b1faca94c498d2f82de73fe1e42f9

    • SSDEEP

      384:dK8Y54xRiW3mWeW+mWE3rq0GftpBj52ERHRN7dldBopPI:dKfemqiuEBHoa

    Score
    1/10
    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

JavaScript

1
T1059.007

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

modiloader
Score
10/10

behavioral1

asyncratmodiloadernjratdefaulthackeddiscoveryevasionpersistenceprivilege_escalationpyinstallerrattrojan
Score
10/10

behavioral2

asyncratmodiloaderdefaultdiscoveryevasionexecutionpersistenceprivilege_escalationpyinstallerratspywarestealertrojan
Score
10/10

behavioral3

discovery
Score
9/10

behavioral4

discovery
Score
9/10

behavioral5

execution
Score
3/10

behavioral6

execution
Score
3/10

behavioral7

Score
1/10

behavioral8

Score
1/10

behavioral9

Score
1/10

behavioral10

Score
1/10

behavioral11

Score
1/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
1/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

Score
1/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

Score
1/10

behavioral24

Score
1/10

behavioral25

Score
1/10

behavioral26

Score
1/10

behavioral27

Score
1/10

behavioral28

Score
1/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

Score
1/10

behavioral32

Score
1/10