comrat | 3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba

Sharing

Copy URL

Twitter E-mail

General

Target

3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba
Size

7.2MB
MD5

a0a94bae5bd7e8b2e61bbb23fe53d4e0
SHA1

fe72ebebfd8aaea12744e9aaf9a159864edacc56
SHA256

3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba
SHA512

de6a97b16fbf0c0344127a9e8370c62099c84fc6fcae4b0e46befb33aa68e34b5d14dbb5dc504218302ffe1cb3c8eea35f5d03ea76f82ce6280437ccbfad609f
SSDEEP

49152:EJrrr9q0v4ubJmg4OFuwkOM5NZihx9rz2TRjrgdOU9p1PZH/JNTFTJT5dwIwzQJw:4br0RCBNTBwAHvo

Score

10^/10

comrat

Malware Config

Signatures

ComRAT v4 (Orchestrator DLL) 1 IoCs

File contains strings specific to ComRAT v4 samples first seen in 2017.

resource	yara_rule
static1/unpack001/2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316	ComRAT

Comrat family
comrat

Unsigned PE 3 IoCs

Checks for missing Authenticode signature.

resource
unpack001/2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
unpack001/2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
unpack001/2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316

Files

3ddc41eaf0ca6504fb7971f90fb8fc3a3b90f3ba4cf4c8cff047b650cf1da9ba
.zip
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/00352afc7e7863530e4d68be35ae8b60261fc57560167645697b7bfc0ac0e93d
.dll windows:5 windows x86 arch:x86

87ab41c57e95562a3e81f0609398b278

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

GetProcAddress
GetModuleHandleW

Exports

Exports

_test@4

Sections

.text
Size: 48KB - Virtual size: 48KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/134919151466c9292bdcb7c24c32c841a5183d880072b0ad5e8b3a3a830afef8
.ps1
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/166b1fb3d34b32f1807c710aaa435d181aedbded1e7b4539ffa931c2b2cdd405
.dll windows:5 windows x64 arch:x64

87ab41c57e95562a3e81f0609398b278

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

Imports

kernel32

GetProcAddress
GetModuleHandleW

Exports

Exports

test

Sections

.text
Size: 59KB - Virtual size: 60KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 1KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 1024B - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/44d6d67b5328a4d73f72d8a0f9d39fe4bb6539609f90f169483936a8b3b88316
.dll windows:5 windows x64 arch:x64

d9d661a606c9d1c23b47672d1067de68

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_DLL

PDB Paths

C:\Projects\chinch_4_0\projects\chinch4\Build\x64\Release\x64_Release.pdb

Imports

kernel32

CreateFileW
ExpandEnvironmentStringsW
IsBadStringPtrA
MapViewOfFile
UnmapViewOfFile
SetEvent
FlushViewOfFile
GetCurrentProcess
OpenProcess
GetLocalTime
SetHandleInformation
ReadFile
MultiByteToWideChar
SetFileTime
GetOEMCP
GetProcAddress
LoadLibraryA
OpenEventW
GetFileSize
SetFilePointer
WriteFile
GetModuleHandleW
LoadLibraryW
GetVersionExW
VirtualProtectEx
GetExitCodeThread
lstrcmpiW
VirtualFreeEx
ReadProcessMemory
VirtualAllocEx
GetModuleHandleA
WriteProcessMemory
CreateThread
WideCharToMultiByte
CreateDirectoryW
DeleteFileW
CloseHandle
CreateEventW
TerminateProcess
Sleep
CreateProcessW
GetLastError
GetTickCount
WaitForSingleObject
GetNativeSystemInfo
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
CreatePipe
InitializeCriticalSection
SetStdHandle
OutputDebugStringW
GetCurrentProcessId
QueryPerformanceCounter
GetModuleFileNameA
GetSystemTimeAsFileTime
GetFileAttributesExW
GetStringTypeW
EncodePointer
DecodePointer
HeapFree
HeapAlloc
IsDebuggerPresent
IsProcessorFeaturePresent
ExitProcess
GetModuleHandleExW
HeapReAlloc
GetCPInfo
GetCommandLineA
GetCurrentThreadId
GetStdHandle
GetFileType
GetModuleFileNameW
WriteConsoleW
RtlPcToFileHeader
RaiseException
RtlLookupFunctionEntry
RtlUnwindEx
GetDateFormatW
GetTimeFormatW
CompareStringW
LCMapStringW
GetLocaleInfoW
IsValidLocale
GetUserDefaultLCID
EnumSystemLocalesW
SetEnvironmentVariableW
SetEnvironmentVariableA
RtlCaptureContext
RtlVirtualUnwind
UnhandledExceptionFilter
SetUnhandledExceptionFilter
SetLastError
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
GetStartupInfoW
FreeLibrary
LoadLibraryExW
HeapSize
GetProcessHeap
GetTimeZoneInformation
SetFilePointerEx
FlushFileBuffers
GetConsoleCP
GetConsoleMode
IsValidCodePage
GetACP
GetEnvironmentStringsW
FreeEnvironmentStringsW
ReadConsoleW
SetEndOfFile

advapi32

CryptDestroyHash
CryptCreateHash
CryptGenRandom
CryptGetHashParam
CryptDecrypt
CryptDestroyKey
CryptImportKey
CryptReleaseContext
CryptSetKeyParam
CryptAcquireContextW
RegSetValueExW
RegCloseKey
RegQueryValueExW
RegCreateKeyExW
CryptHashData

psapi

GetModuleBaseNameA
EnumProcessModulesEx
EnumProcessModules

Exports

Exports

UMEP
VFEP

Sections

.text
Size: 1003KB - Virtual size: 1003KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 470KB - Virtual size: 469KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 258KB - Virtual size: 305KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 5KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/README.md
2020.10.29_CISA-MAR-10310246_Powershell_Backdoor/a3170c32c09fc85cdda778a5c20a3dab144b6d1dd9996ba8340866e0081c7642
.ps1

Sharing

General

Malware Config

Signatures

Files

87ab41c57e95562a3e81f0609398b278

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Exports

Exports

Sections

.text Size: 48KB - Virtual size: 48KB

.rdata Size: 4KB - Virtual size: 4KB

.reloc Size: 4KB - Virtual size: 4KB

87ab41c57e95562a3e81f0609398b278

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

Exports

Exports

Sections

.text Size: 59KB - Virtual size: 60KB

.rdata Size: 1KB - Virtual size: 4KB

.pdata Size: 1024B - Virtual size: 4KB

d9d661a606c9d1c23b47672d1067de68

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

kernel32

advapi32

psapi

Exports

Exports

Sections

.text Size: 1003KB - Virtual size: 1003KB

.rdata Size: 470KB - Virtual size: 469KB

.data Size: 258KB - Virtual size: 305KB

.pdata Size: 46KB - Virtual size: 45KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 5KB - Virtual size: 5KB

.text
Size: 48KB - Virtual size: 48KB

.rdata
Size: 4KB - Virtual size: 4KB

.reloc
Size: 4KB - Virtual size: 4KB

.text
Size: 59KB - Virtual size: 60KB

.rdata
Size: 1KB - Virtual size: 4KB

.pdata
Size: 1024B - Virtual size: 4KB

.text
Size: 1003KB - Virtual size: 1003KB

.rdata
Size: 470KB - Virtual size: 469KB

.data
Size: 258KB - Virtual size: 305KB

.pdata
Size: 46KB - Virtual size: 45KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 5KB - Virtual size: 5KB