Overview

overview

10

Static

static

10

aquatic_cracked.zip

windows7-x64

1

aquatic_cracked.zip

windows10-2004-x64

8

config.toml

windows7-x64

3

config.toml

windows10-2004-x64

8

crack.dll

windows7-x64

9

crack.dll

windows10-2004-x64

9

loader.exe

windows7-x64

10

loader.exe

windows10-2004-x64

10

main.exe

windows7-x64

7

main.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    aquatic_cracked.zip

  • Size

    40.6MB

  • Sample

    250217-dtnhssyjcv

  • MD5

    6296ae99120a74f4582965def5298133

  • SHA1

    074e8be2bd7bced0476ed796568a5d007be254de

  • SHA256

    0dc223deeb245f7ef48f298ea3f6630b8ab0c555b988dd0f901b2dec624ee2a0

  • SHA512

    a21c9a80de6b2308efd56febc5277017256dd4d4f7cc97fe4851dbd7e421339ac14805ec986f2058924b76765a799cbb131c62c787f44f48bbb5552310005ec2

  • SSDEEP

    786432:kuDuTF+Vxw89urUY8y1i3fNIqyEROml3sWcpVCwFSTtG4+nyVvUzueMEG:kL+Vl9q8y1saqyE448CCSJoyVvUueMEG

Score
10/10
asyncratstormkittyxreddefaultbackdoorcollectioncredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      aquatic_cracked.zip

    • Size

      40.6MB

    • MD5

      6296ae99120a74f4582965def5298133

    • SHA1

      074e8be2bd7bced0476ed796568a5d007be254de

    • SHA256

      0dc223deeb245f7ef48f298ea3f6630b8ab0c555b988dd0f901b2dec624ee2a0

    • SHA512

      a21c9a80de6b2308efd56febc5277017256dd4d4f7cc97fe4851dbd7e421339ac14805ec986f2058924b76765a799cbb131c62c787f44f48bbb5552310005ec2

    • SSDEEP

      786432:kuDuTF+Vxw89urUY8y1i3fNIqyEROml3sWcpVCwFSTtG4+nyVvUzueMEG:kL+Vl9q8y1saqyE448CCSJoyVvUueMEG

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral1behavioral2

    • Target

      config.toml

    • Size

      202B

    • MD5

      fe783a62cf5f5e09a7d8c6fd17ae60df

    • SHA1

      46fa99c2b4c4158e9d9542559f11f34df5da8840

    • SHA256

      3188d09b74d87c1f1d1b6cd2624ef6fbb02aa27183e4908bed30f7f8ecd371b5

    • SHA512

      d20a4d9c2a6f6ee2a7f4bc7d86264d1028d17db6e6cd868a27ff6d191170104bd99641dbba636d05588ad5e031ba378dcb28420b8a38363fcfadbb2608d25de3

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral3behavioral4

    • Target

      crack.dll

    • Size

      5.1MB

    • MD5

      fe7dc4218e47f5c31e7a2db9b2e55ddd

    • SHA1

      6d30688097e87755b5d59429e5dfb9ce0562f931

    • SHA256

      1cbaa9f954edae2e9a6ccac8e0119ff533ee01b42b1bb24fa10adfa80064b780

    • SHA512

      922048e800411cb7f21618647b88b0d8b5c98aa45a55eb8ab66a838f3900bed6e03cd247e27af0b304bd4b71fa6402d1b88aa320aa4c23a42088a1617dac73c7

    • SSDEEP

      98304:ZvNYCYPKFV3CIz5igBo6qO90Pqp8YVH/6yG/fdmjLdGGf:ZvyWLNia90S7iyb

    Score
    9/10
    defense_evasiontrojandiscovery

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral5behavioral6

    • Target

      loader.exe

    • Size

      13.2MB

    • MD5

      5ff10152530307b7903a5273dcdcd506

    • SHA1

      e140280b3524bcbc47db71eb5dcaeb0c5a58ce4a

    • SHA256

      654e0a21bb10acdb2726cff23859d207e408bec19c198a6a1fd46a74db266410

    • SHA512

      d26bf9bb14ccb2d292c432179678aaa77f7ff7ab07eae292b70fdacd4bfd18c2c1aa60e2c58dd4b94b4c8da1bd619a50554834131e20fd3cac04f5ced8dd7010

    • SSDEEP

      393216:LwFSeUNkxhQSj/utI2v49J3lHVs4DGGLaeqOv:PeikL1Wq2v4RHV5Xu4

    Score
    10/10
    asyncratstormkittyxreddefaultbackdoordefense_evasiondiscoverypersistenceprivilege_escalationratspywarestealerupxcollectioncredential_accessexecutiontrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Modifies security service

      defense_evasion

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Async RAT payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      defense_evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Clipboard Data

      Adversaries may collect data stored in the clipboard from users copying information within or between applications.

      collection

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Drops file in System32 directory

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral7behavioral8

    • Target

      main.exe

    • Size

      24.1MB

    • MD5

      c4639a9dd4fa418a1e2e5537b9a53bfe

    • SHA1

      9fea0f4615170667aa59dac92f6d424455b5fc54

    • SHA256

      6548853e51522d28bc2d4ee6dbecdfe7be496462cb87f26587f830374ce07ec7

    • SHA512

      2e5f53a2d4bae0028ecb715485327db9da7aeb45176e7e54db039516dab6002f41b5f44ae728f7752ee840f34b14ac78698cea3bc4cc2d00ea815873bad6b692

    • SSDEEP

      786432:8Ljr7FsBzlI0ecXYc1xk/cBFG8zv7NRDZPA:oezlI1kLxJBFGu7HFY

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    behavioral10behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

7
T1012

System Information Discovery

9
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

2
T1016

Internet Connection Discovery

1
T1016.001

Wi-Fi Discovery

1
T1016.002

Virtualization/Sandbox Evasion

1
T1497

Lateral Movement

Collection

Clipboard Data

1
T1115

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks