Malware Analysis Report (AR22-197A)

MAR-10382580-r2.v1 – RAT

Click to Tweet.
Click to send to Facebook.
Click to Share.

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This CISA submission included one unique file. This file is a malicious loader that contains an embedded executable. This embedded executable is a Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system's desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems.

For a downloadable copy of IOCs, see: MAR-10382580.r2.v1.WHITE_stix

Submitted Files (1)

4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f (ilasvc.exe)

IPs (1)

151.106.30.120

Findings

4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f

Tags

remote-access-trojantrojan

Details
Name ilasvc.exe
Size 1056768 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 05d38bc82d362dd57190e3cb397f807d
SHA1 52b04d348adf7e42e7c7d6c2ec9aabbcaba07188
SHA256 4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f
SHA512 d03894ad9ce7a5f0e58a5e6385926263507f2571e3cbe60fce1ed5463a77152a7779d8b494ee7a6ff4986de19c0a92cbcc8dae5697d69dc196c474723ee553ef
ssdeep 24576:mStdBO8/kIH46+jHd3JURkxXH3rg9fNJa9y5xmDYzgLu8b7oCK:mST2+qXHbg91Ja9y5MOgL3K
Entropy 7.599564
Antivirus
ESET a variant of Win64/Injector.HA.gen trojan
IKARUS Trojan.Win64.Injector
YARA Rules
  • rule CISA_10382580_03 : loader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10382580"
           Date = "2022-05-02"
           Last_Modified = "20220602_1200"
           Actor = "n/a"
           Category = "Loader"
           Family = "n/a"
           Description = "Detects loader samples"
           MD5_1 = "3764a0f1762a294f662f3bf86bac776f"
           SHA256_1 = "f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab"
           MD5_2 = "21fa1a043460c14709ef425ce24da4fd"
           SHA256_2 = "66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16"
           MD5_3 = "e9c2b8bd1583baf3493824bf7b3ec51e"
           SHA256_3 = "7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751"
           MD5_4 = "de0d57bdc10fee1e1e16e225788bb8de"
           SHA256_4 = "33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b"
           MD5_5 = "9b071311ecd1a72bfd715e34dbd1bd77"
           SHA256_5 = "3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0"
           MD5_6 = "05d38bc82d362dd57190e3cb397f807d"
           SHA256_6 = "4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f"
       strings:
           $s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
           $s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
           $s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
           $s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2020-04-30 19:43:57-04:00
Import Hash 99197f3296550481a848ea8d4e097487
Company Name Sysinternals - www.sysinternals.com
File Description Flush cached data to disk.
Internal Name Sync
Legal Copyright Copyright (C) 2016 Mark Russinovich
Original Filename Sync.exe
Product Name Sysinternals Sync
Product Version 2.2
PE Sections
MD5 Name Raw Size Entropy
a917582fc3e796bb1d43bfce05c0cfb3 header 1024 3.105665
5fbd29958a5484173910cb06dcfc4e9e .text 310784 6.453454
34b6e6a847957ef90ef9460e0f8dd3d0 .rdata 98304 5.168254
e32c1166142d325350f6e6443db43144 .data 3584 2.609738
ffc4ab2046acad015eba98898e975ad5 .pdata 18432 5.804487
502485fa11633b4eb9eaef15fcb482a5 .rsrc 622080 7.975998
69687e4a3ffbefbe782d13637ce8605a .reloc 2560 4.913641
Relationships
4cd7efdb1a... Connected_To 151.106.30.120
Description

This malware is a 64-bit Windows loader that contains an embedded encrypted malicious executable. During runtime, this embedded executable is decrypted and loaded into memory, never touching the system's hard disk. The encrypted executable is similar in functionality to the file 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, described in report MAR-10382580.r1.v1. The malware embedded within this loader attempts to communicate with the hard-coded C2 Internet Protocol (IP) address 151[.]106[.]30[.]120. This malware provides a vast array of C2 capabilities including the ability to log keystrokes, upload and execute additional payloads, function as a proxy, and have graphical user interface (GUI) access over a target Windows system's desktop. Many of the structures utilized to implement the C2 capabilities in this malware appear to be derived from the same source code as 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16, however this malware utilizes much more complex obfuscation to hinder the analysis of its code structures. This malware also utilizes a more complex encryption algorithm to secure its network communications.

The malware embedded within this binary utilizes a secure strings scheme based on a rotating XOR cipher (Figure 7). The strings are partially decrypted and listed below with their corresponding approximate memory address locations during runtime -- assuming a base address of 0x260000.

--Begin Decoded Strings--

('0x264e32', 'RegQueryValueExl')
('0x264f58', 'RegQueryValueEx\\')
('0x265325', 'GetCurrentProcessId')
('0x265bc9', 'GetEnvironmentVariableW')
('0x265cc1', 'ShellExecuteExW')
('0x268b20', 'GetAdaptersInfo')
('0x268c49', 'GetAdaptersInfo')
('0x26a77c', 'EnumDependentServicesW')
('0x26a98b', 'EnumDependentServi')
('0x26abb9', 'ControlService')
('0x26ad5b', 'QueryServiceStatus')
('0x26af62', 'CloseServiceHandle')
('0x26c3ed', 'GetComputerNameW')
('0x277621', 'GetEnvironmentVariableW')
('0x27856f', 'GetLogicalDriveStringsW')
('0x2788e5', 'GetVolumeInformationW')
('0x278f87', 'FindFirstFileW')
('0x27a3f3', 'GetSystemDirectoryW')
('0x27bf04', 'SetFilePointerEx')
('0x27d125', 'RemoveDirectoryW')
('0x27daa7', 'FindFirstFileW')
('0x284074', 'GetClipboardData')
('0x2850d4', 'GetForegroundWindow')
('0x28513d', 'GetDesktopWindow')
('0x28b443', 'GetProcessHeap')
('0x28b533', 'CoInitializeEx')
('0x28b655', 'StartServiceCtrlDispatch')
('0x28cd63', 'GetModuleFileNameW')
('0x2636f3', 'UnkownError')
('0x2649f3', "Display''''")
('0x264ab0', 'RegOpenKeyExW')
('0x264af0', 'ADVAPI32.dll')
('0x264ca0', 'RegEnumKeyExW')
('0x264ce0', 'ADVAPI32.dll')
('0x264d80', 'RegOpenKeyExW')
('0x264dc0', 'ADVAPI32.dll')
('0x264e90', 'ADVAPI32.dll')
('0x264fb0', 'ADVAPI32.dll')
('0x265160', 'RegCloseKey')
('0x2651b0', 'ADVAPI32.dll')
('0x265390', 'KERNEL32.dll')
('0x265c30', 'KERNEL32.dll')
('0x265d20', 'SHELL32.dll')
('0x266950', 'GetVersionExW')
('0x266990', 'KERNEL32.dll')
('0x266b63', 'CurrentMajorVersionNum')
('0x266c33', 'CurrentMajorVersionNum')
('0x268b80', 'IPHLPAPI.dll')
('0x268c03', 'KERNEL32.dll')
('0x268ca0', 'IPHLPAPI.dll')
('0x26a710', 'GetTickCount')
('0x26a750', 'KERNEL32.dll')
('0x26a7b8', 'EnumDepende')
('0x26a7f3', 'Advapi32.dll')
('0x26a872', 'GetLastError')
('0x26a8b0', 'KERNEL32.dll')
('0x26a940', 'KERNEL32.dll')
('0x26aa17', 'Advapi32.dll')
('0x26aafb', 'OpenServiceW')
('0x26ab4b', 'Advapi32.dll')
('0x26ac33', 'Advapi32.dll')
('0x26acd4', 'Sleep')
('0x26ad24', 'KERNEL32.dll')
('0x26adea', 'Advapi32.dll')
('0x26aeaa', 'GetTickCount')
('0x26af03', 'KERNEL32.dll')
('0x26afdb', 'Advapi32.dll')
('0x26c2e0', 'GetUserNameW')
('0x26c320', 'Advapi32.dll')
('0x26c450', 'KERNEL32.dll')
('0x26cad0', 'KERNEL32.dll')
('0x273220', 'closesocket')
('0x274a90', 'getsockname')
('0x275280', 'getsockname')
('0x276583', 'Erroroccurswhiles')
('0x276714', 'NoTabsinclient.')
('0x2769e3', 'NoTabsinclient.')
('0x276b60', 'KERNEL32.dll')
('0x277690', 'KERNEL32.dll')
('0x2785e0', 'KERNEL32.dll')
('0x2786d3', 'ErroroccursinGetL')
('0x278950', 'KERNEL32.dll')
('0x2789e0', 'GetDriveTypeW')
('0x278a20', 'KERNEL3')
('0x278f10', 'PathCombineW')
('0x278f50', 'SHLWAPI.dll')
('0x278fa4', 'FindFirstFile')
('0x278fe0', 'KERNEL32.dll')
('0x279120', 'PathCombineW')
('0x279160', 'SHLWAPI.dll')
('0x2791c1', 'CreateFileW')
('0x279200', 'KERNEL32.dll')
('0x279280', 'GetFileTime')
('0x2792c0', 'KERNEL32.dll')
('0x279320', 'CloseHandle')
('0x279360', 'KERNEL32.dll')
('0x2796a0', 'FindNextFileW')
('0x2796e0', 'KERNEL32.dll')
('0x2797b3', 'Cannotaccesstofold')
('0x27a460', 'KERNEL32.dll')
('0x27a4e3', 'kernel32.dll')
('0x27a540', 'PathCombineW')
('0x27a580', 'SHLWAPI.dll')
('0x27a5e0', 'CreateFileW')
('0x27a620', 'KERNEL32.dll')
('0x27a692', 'GetFileTime')
('0x27a6d0', 'KERNEL32.dll')
('0x27a730', 'CloseHandle')
('0x27a770', 'KERNEL32.dll')
('0x27acf0', 'CreateFileW')
('0x27ad30', 'KERNEL32.dll')
('0x27ade0', 'GetFileTime')
('0x27ae20', 'KERNEL32.dll')
('0x27af80', 'GetLastError')
('0x27afc0', 'KERNEL32.dll')
('0x27b430', 'GetLastError')
('0x27b470', 'KERNEL32.dll')
('0x27b932', 'CreateFileW')
('0x27b970', 'KERNEL32.dll')
('0x27b9f0', 'GetLastError')
('0x27ba30', 'KERNEL32.dll')
('0x27bf60', 'KERNEL32.dll')
('0x27c000', 'KERNEL32.dll')
('0x27c080', 'KERNEL32.dll')
('0x27c1b0', 'CloseHandle')
('0x27c1f0', 'KERNEL32.dll')
('0x27c270', 'GetLastError')
('0x27c2b0', 'KERNEL32.dll')
('0x27c3c3', 'Nodescriptorfound.')
('0x27c860', 'KERNEL32.dll')
('0x27c950', 'CloseHandle')
('0x27c990', 'KERNEL32.dll')
('0x27c9f0', 'GetLastError')
('0x27ca30', 'KERNEL32.dll')
('0x27cb00', 'CloseHandle')
('0x27cb40', 'KERNEL32.dll')
('0x27cdc0', 'CloseHandle')
('0x27ce00', 'KERNEL32.dll')
('0x27d180', 'KERNEL32.dll')
('0x27d1f0', 'DeleteFileW')
('0x27d230', 'KERNEL32.dll')
('0x27d290', 'GetLastError')
('0x27d2d0', 'KERNEL32.dll')
('0x27d3e3', 'Deletesuccessed.')
('0x2c3743', 'Deletepayloadcorrupt')
('0x27da30', 'PathCombineW')
('0x27da70', 'SHLWAPI.dll')
('0x27dac4', 'FindFirstFile')
('0x27db00', 'KERNEL32.dll')
('0x27dc20', 'PathCombineW')
('0x27dc60', 'SHLWAPI.dll')
('0x27ded1', 'FindNex2@\x04@%@')
('0x27df10', 'KERNEL32.dll')
('0x284030', 'OpenClipboard')
('0x284110', 'Kernel32.dll')
('0x2841b3', '<CTRL+V>')
('0x284253', '</CTRL+V>')
('0x284fe3', 'Composition')
('0x285073', 'Sfwr\\irsf\\i')
('0x28507c', 'otaeMcootW')
('0x285484', 'Monitor%d[%d*%d]')
('0x28b280', 'DeleteObject')
('0x28b400', 'KERNEL32.dll')
('0x28b4a0', 'KERNEL32.dll')
('0x28b6d0', 'Advapi32.dll')
('0x28cdc0', 'KERNEL32.dll')
('0x28d230', 'ExitProcess')
('0x28d270', 'KERNEL32.dll')
('0x28d3b0', 'GetTempPathW')
('0x28d3f0', 'KERNEL32.dll')
('0x28d4a0', 'PathCombineW')
('0x28d4e0', 'SHLWAPI.dll')

--End Decoded Strings--

Screenshots
Figure 1 - This screenshot illustrates the malware sending an initial block of data to its hard-coded C2 server. As with the malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1, this malware's initial outbound block contains a chunk of random data and the unicode string "hello".

Figure 1 - This screenshot illustrates the malware sending an initial block of data to its hard-coded C2 server. As with the malware sample 66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16 in MAR-10382580.r1.v1, this malware's initial outbound block contains a chunk of random data and the unicode string "hello".

Figure 2 - This screenshot illustrates the malware's hard-coded cryptographic key it utilizes to encrypt and decrypt its network communications traffic via the algorithm in Figure 4.

Figure 2 - This screenshot illustrates the malware's hard-coded cryptographic key it utilizes to encrypt and decrypt its network communications traffic via the algorithm in Figure 4.