Analysis Report

MIFR-10121050-1.v2

Last Revised
Alert Code
AR20-133P
 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

US-CERT received two malicious RTF documents. When opened, the documents attempt to download a malicious payload associated with the Dridex banking trojan.

For a downloadable copy of IOCs, see MIFR-10121050-1.v2.stix.

Files (2)

7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c (7f2a499891a72b9f3b0923be0f9db4...)

c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629 (c98f34e4e87f041c3f19749bbb995b...)

Domains (2)

btt5sxcx90.com

rottastics36w.net

Findings

7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c

Tags

CVE-2017-0199downloaderdroppertrojan

Details
Name 7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c.bin
Size 37510 bytes
Type Rich Text Format data, version 1, unknown character set
MD5 775390eeeff4d54b9c3941ef1f220c9f
SHA1 3770051d8cb7df081b5409f2be3b8d6c916a2755
SHA256 7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c
SHA512 1c590c54a76c556bebc0c5b99d1c14051716c4e01b9731149543722ff297748a8efb3acc136a6ecc2a7525c0af999e2ea1cfe9788f57d56071e843b60f464d63
ssdeep 384:C8W68Kw0zybdKk907U7UD1cYOs8BxJJ2PAi6rGsNAYAXJqskps:C8O07U7UDuYOs8BxX2PEhAZq1s
Entropy 4.782672
Antivirus
Ahnlab RTF/Cve-2017-0199
Antiy Trojan[Exploit]/RTF.CVE-2017-0199
Avira EXP/W2000.Agent.12344
BitDefender Trojan.Exploit.ANWK
ClamAV Doc.Dropper.Agent-6249686-0
Cyren CVE-2017-0199.B!Camelot
ESET Win32/Exploit.CVE-2017-0199.A trojan
Emsisoft Trojan.Exploit.ANWK (B)
Ikarus Exploit.CVE-2017-0199
McAfee Exploit-CVE2017-0199.c
Microsoft Security Essentials Exploit:O97M/CVE-2017-0199!dha
NANOAV Exploit.Ole2.CVE-2017-0199.equmby
NetGate Exploit.Win32.Generic
Quick Heal Exp.RTF.CVE-2017-0199
Sophos Troj/DocDrop-TJ
Symantec Trojan.Mdropper
TACHYON Downloader/RTF.CVE-2017-0199
TrendMicro TROJ_CV.2BCCE136
TrendMicro House Call TROJ_CV.2BCCE136
VirusBlokAda Exploit.O97M.Blinky.B
YARA Rules

No matches found.

ssdeep Matches
96 ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e
96 c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629
Relationships
7f2a499891... Connected_To rottastics36w.net
Description

7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c.bin is a malicious Rich Text Format (RTF) document. When the file is opened it will display an error message to the victim (Screenshot 1) while attempting to download the file, 'template.doc' from the domain, rottastics36w.net. The domain did not resolve to an IP address at the time of analysis.

Screenshots

Screenshot 1. Error Message -

rottastics36w.net

Tags

command-and-control

URLs
  • http://rottastics36w.net/template.doc
Whois

Domain name: rottastics36w.net

Registry Domain ID: 77428276_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.eranet.com

Registrar URL: http://www.tnet.hk/

Update Date: 2017-04-02T16:00:00Z

Creation Date: 2017-04-03T09:14:21Z

Registrar Registration Expiration Date: 2018-04-02T16:00:00Z

Registrar: ERANET INTERNATIONAL LIMITED

Registrar IANA ID: 1868

Registrar Abuse Contact Email: support@eranet.com

Registrar Abuse Contact Phone: +852.35685366

Reseller:    

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientHold http://www.icann.org/epp#clientHold

Registry Registrant ID:

Registrant Name: Robert Ruthven

Registrant Organization: Gamblin Artists Colors

Registrant Street: 323 SE Division Pl

Registrant City: Portland

Registrant Province/state: OR

Registrant Postal Code: 97202

Registrant Country: US

Registrant Phone: +1.5034359411

Registrant Phone EXT:

Registrant Fax: +1.5034359411

Registrant Fax EXT:

Registrant Email: jenniemarc@mail.com

Registry Admin ID:

Admin Name: Robert Ruthven

Admin Organization: Gamblin Artists Colors

Admin Street: 323 SE Division Pl

Admin City: Portland

Admin Province/state: OR

Admin Postal Code: 97202

Admin Country: US

Admin Phone: +1.5034359411

Admin Phone EXT:

Admin Fax: +1.5034359411

Admin Fax EXT:

Admin Email: jenniemarc@mail.com

Registry Tech ID:

Tech Name: Robert Ruthven

Tech Organization: Gamblin Artists Colors

Tech Street: 323 SE Division Pl

Tech City: Portland

Tech Province/state: OR

Tech Postal Code: 97202

Tech Country: US

Tech Phone: +1.5034359411

Tech Phone EXT:

Tech Fax: +1.5034359411

Tech Fax EXT:

Tech Email: jenniemarc@mail.com

Relationships
rottastics36w.net Connected_From 7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c
Description

When the document, 7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c.bin is opened an attempt is made to download the file 'template.doc' from this domain. The domain does not resolve to an IP address.

c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629

Tags

CVE-2017-0199downloaderdroppertrojan

Details
Name c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629.bin
Size 37517 bytes
Type Rich Text Format data, version 1, unknown character set
MD5 cd60a118fede29f93363a807ce19c208
SHA1 09048811d050bd5f29be36a4b145709f26d4185a
SHA256 c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629
SHA512 158dc4490e3d4bc0777d8af4e68882d7346deeb2768f02f6003478ee5941ba5ce9c6e342f3d4b91a760c7ff8b77959117f828a6b6ca77d298802eb6381358697
ssdeep 384:C8W68Kw0zybdKk907U7UYcYOs8BaJJ2PAi6rGsNAYAXJqskps:C8O07U7UxYOs8BaX2PEhAZq1s
Entropy 4.782730
Antivirus
Ahnlab RTF/Exploit
Antiy Trojan[Exploit]/RTF.CVE-2017-0199
Avira EXP/W2000.Agent.12345
BitDefender Trojan.Agent.CFWP
ClamAV Rtf.Exploit.CVE_2017_0199-6336824-0
Cyren CVE-2017-0199.B!Camelot
ESET Win32/Exploit.CVE-2017-0199.A trojan
Emsisoft Trojan.Agent.CFWP (B)
Ikarus Exploit.CVE-2017-0199
McAfee Exploit-CVE2017-0199.c
Microsoft Security Essentials Exploit:O97M/Blinky.B
NANOAV Exploit.Ole2.CVE-2017-0199.equmby
NetGate Exploit.Win32.Generic
Quick Heal Exp.RTF.CVE-2017-0199
Sophos Troj/DocDrop-TJ
Symantec Trojan.Mdropper
TACHYON Downloader/RTF.CVE-2017-0199
TrendMicro TROJ_CV.5BA615B9
TrendMicro House Call TROJ_CV.5BA615B9
VirusBlokAda Exploit.O97M.Blinky.B
YARA Rules

No matches found.

ssdeep Matches
96 7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c
97 ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e
Relationships
c98f34e4e8... Connected_To btt5sxcx90.com
Description

c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629.bin is a malicious Rich Text Format (RTF) document. When the file is opened it will display an error message to the victim (Screenshot 1) while attempting to download the file, 'template.doc' from the domain, btt5sxcx90.com. The domain did not resolve to an IP address at the time of analysis.

Screenshots

Screenshot 1. Error Message -

btt5sxcx90.com

Tags

command-and-control

URLs
  • http://btt5sxcx90.com/template.doc
Whois

Domain name: btt5sxcx90.com

Registry Domain ID: 77428276_DOMAIN_COM-VRSN

Registrar WHOIS Server: whois.eranet.com

Registrar URL: http://www.tnet.hk/

Update Date: 2017-04-02T16:00:00Z

Creation Date: 2017-04-03T09:15:33Z

Registrar Registration Expiration Date: 2018-04-02T16:00:00Z

Registrar: ERANET INTERNATIONAL LIMITED

Registrar IANA ID: 1868

Registrar Abuse Contact Email: support@eranet.com

Registrar Abuse Contact Phone: +852.35685366

Reseller:    

Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited

Domain Status: clientHold http://www.icann.org/epp#clientHold

Registry Registrant ID:

Registrant Name: Robert Ruthven

Registrant Organization: Gamblin Artists Colors

Registrant Street: 323 SE Division Pl

Registrant City: Portland

Registrant Province/state: OR

Registrant Postal Code: 97202

Registrant Country: US

Registrant Phone: +1.5034359411

Registrant Phone EXT:

Registrant Fax: +1.5034359411

Registrant Fax EXT:

Registrant Email: jenniemarc@mail.com

Registry Admin ID:

Admin Name: Robert Ruthven

Admin Organization: Gamblin Artists Colors

Admin Street: 323 SE Division Pl

Admin City: Portland

Admin Province/state: OR

Admin Postal Code: 97202

Admin Country: US

Admin Phone: +1.5034359411

Admin Phone EXT:

Admin Fax: +1.5034359411

Admin Fax EXT:

Admin Email: jenniemarc@mail.com

Registry Tech ID:

Tech Name: Robert Ruthven

Tech Organization: Gamblin Artists Colors

Tech Street: 323 SE Division Pl

Tech City: Portland

Tech Province/state: OR

Tech Postal Code: 97202

Tech Country: US

Tech Phone: +1.5034359411

Tech Phone EXT:

Tech Fax: +1.5034359411

Tech Fax EXT:

Tech Email: jenniemarc@mail.com

Relationships
btt5sxcx90.com Connected_From c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629
Description

When the document, c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629.bin is opened an attempt is made to download the file 'template.doc' from this domain. The domain does not resolve to an IP address.

Relationship Summary

7f2a499891... Connected_To rottastics36w.net
rottastics36w.net Connected_From 7f2a499891a72b9f3b0923be0f9db490463639166b41a15fe3bf5387df660f1c
c98f34e4e8... Connected_To btt5sxcx90.com
btt5sxcx90.com Connected_From c98f34e4e87f041c3f19749bbb995bfcd2e3de20c2ba619ea4a0ed616ac1b629

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.