Malware Analysis Report (AR22-277A)

MAR-10365227-1.v1 CovalentStealer

Click to Tweet.
Click to send to Facebook.
Click to Share.

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts by the Cybersecurity and Infrastructure Security Agency (CISA) to provide detailed analysis of files associated with CovalentStealer malware, which is designed to identify and exfiltrate files to a remote server. CISA obtained CovalentStealer malware samples during an on-site incident response engagement at a Defense Industrial Base (DIB) Sector organization compromised by advanced persistent threat (APT) actors.

CISA analyzed 19 files associated with CovalentStealer malware. The files are designed to identify file shares on a system, categorize the files, and upload the files to a remote server. The files include two configurations that specifically target the victim's documents using predetermined files paths and user credentials. The two remaining files were identified as open source utilities the threat actor utilized on the victim's system. One file is a publicly available utility used to compress and archive other files. The second file is an open source utility used to extract the Master File Table (MFT) from a volume and can be used for file enumeration.
CISA is distributing this MAR to enable network defense and reduce exposure to APT sponsored malicious cyber activity.

For more information on the confirmed compromise, see Joint CSA: Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization.

Download the STIX version of this report: MAR-10365227.r1.v1.WHITE_stix, 966 KB

Submitted Files (19)

09605981a072c604e6ef9ad2dd7d2a78b48b07ee3339589bfcf0a466a9190904 (msexch.log)

0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb (ntstatus.bat)

0b7d15968d44710b3e7f153c04b5038d03900a6685643bc8efe688c4d5a5deab (ntstatus_temp.log)

157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656 (ntstatus.exe)

25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2 (mqsvn.ini)

30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc (msexch.exe)

3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350 (mqsvn.exe)

517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d (onedrv.dat)

52765525103f5b3b07d0882cc8ee4bb8e279ad5d451e1ed07cae3b98565cce29 (msexch.ini)

5ba0d0bfda372c1f6aa382a70f4ab8427ec998b680510e208fdf878cfda9afe3 (ntstatus.log)

603e75db59285734cfb5a469e984c4e359e660ccb7836ff9c209aec36931bc2b (mqsvn.log)

6a0cd866c849e62f9ccc26575d8794c2e0b14722387742b965d4358e1e0e8b3c (msexch_temp.log)

84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb (onedrv.exe)

91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b (onedrv.ini)

b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6 (ntstatus.bin)

bfa7adeda4597b70bf74a9f2032df2f87e07f2dbb46e85cb7c091b83161d6b0a (vmware.exe)

da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df (ntstatus.ini)

e03a2c8a6e81cf62ba7401c598ea1d4635b08bbf9c2fec080b536dde29e6392f (msexch.bin)

fae38156e9ce12368c846836b87861f4f12e14698cb65f14545205fa56d8c496 (vmware.ps1)

Additional Files (2)

1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da (result.exe)

d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8 (Uploader.exe)

Findings

84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb

Tags

information-stealeruploader

Details
Name onedrv.exe
Size 791040 bytes
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 806998079c80f53afae3b0366bac1479
SHA1 9f7378da13ca1da75e12e536c8e2dc4cd2236489
SHA256 84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb
SHA512 3d592a606426386fa5f1224c7d3f82f31f5a4d23f9c67422d774e080725bc5698e7786407863dd50d7172e814871bdfabbbe6dce9545733d995ddd892249ba22
ssdeep 12288:kyIzsYTd+LXxWtmtOdnPR3xTexehCkijOcXF8qSH8gdkMdCNGCWJOWCmP8pSMmVN:ky4sO+9ymtsnPRBnlivXPSHxkMNHCNp
Entropy 7.996795
Antivirus
Avira HEUR/AGEN.1221987
YARA Rules
  • rule CISA_10365227_03 : ClientUploader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10365227"
           Date = "2021-12-23"
           Last_Modified = "20211224_1200"
           Actor = "n/a"
           Category = "n/a"
           Family = "n/a"
           Description = "Detects ClientUploader_onedrv"
           MD5_1 = "806998079c80f53afae3b0366bac1479"
           SHA256_1 = "84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb"
       strings:
           $s1 = "Decoder2"
           $s2 = "ClientUploader"
           $s3 = "AppDomain"
           $s4 = { 5F 49 73 52 65 70 47 ?? 44 65 63 6F 64 65 72 73 }
           $s5 = "LzmaDecoder"
           $s6 = "$ee1b3f3b-b13c-432e-a461-e52d273896a7"
       condition:
           uint16(0) == 0x5a4d and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2021-09-10 17:59:57-04:00
Internal Name ClientUploader.exe
Original Filename ClientUploader.exe
Product Version 1.0.0.0
PE Sections
MD5 Name Raw Size Entropy
6b81a95076cc3d6f6dff7d32afa3b7e2 header 512 2.297287
2d3081eb51c7c393e0a670c8bfcf7c24 .text 788992 7.998126
5569bca67ba8c174f30990c07b585dbe .rsrc 1536 3.966404
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
84164e1e80... Used 91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b
84164e1e80... Created 517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d
Description

This file has been identified as CovalentStealer malware. The actor utilized code from several open source projects, including ClientUploader. The retained the internal name "ClientUploader.exe". The program is a file management system that is capable of uploading files to the Internet.

When the program is executed, it will spawn an instance of itself in memory called ‘koi’. This instance accesses several embedded resources that it uses to locate and manipulate files on the system. The following is a list of the primary embedded resources:

---Begin Embedded Resources---
BaseNetwork – This resource is used to create sessions and establish connections to the server.
FileContainer – This resource is used to access file shares via Server Message Block (SMB). It is also used to enumerate files and directories and sort them by Message Digest 5 (MD5) hash. It maintains Internet Protocol (IP) addresses, logins, domain names, passwords, and paths for shares on the network.
IFileWorker – This resource is a file management program that is capable of moving and categorizing files. It contains compression libraries for Gzip and Brotli, as well as a file blacklist.
Encryption – This resource handles file encryption, decryption and secure communications. It decrypts the configuration file, onedrv.ini (91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b) using the hard-coded Advanced Encryption Standard (AES) key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ and an Initialization Vector (IV) using the first half of the AES key (See Figure 1).
OneDriveClient – This resource targets a user’s OneDrive account and creates an upload session to send the files to a remote server. It is able to access files in the victim’s OneDrive by unique ID (See Figure 2). Files are uploaded to a Microsoft Azure client identified in the configuration file onedrv.ini by client ID.
---End Embedded Resources---

The program runs a debugging routine and will output debugging data to a file with the same name as the malware and with the .dat extension, e.g. onedrv.dat (517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d).

Screenshots
Figure 1 - This is the AES encryption routine. The routine uses the hard-coded string 'M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h' as the AES key and the first half of the key as the IV.

Figure 1 - This is the AES encryption routine. The routine uses the hard-coded string 'M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h' as the AES key and the first half of the key as the IV.

Figure 2 - This is the configuration for the upload session. This module is able to access items in the user's OneDrive by unique ID.

Figure 2 - This is the configuration for the upload session. This module is able to access items in the user's OneDrive by unique ID.

517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d

Details
Name onedrv.dat
Size 267224 bytes
Type ASCII text, with CRLF line terminators
MD5 dc0414dec9a84d6342c5d5fc77bbdbed
SHA1 1dad19123564d7d02c3259ab4b06c90181dc4b37
SHA256 517faa4a0666ec68842f256f08d987935b6ce9ef64e33f027e084e8f45b9366d
SHA512 1d262f06881516ca2274d8fb18bcb4bcf9c0b3229370b0609f3803f356a676b1149e22da6a33957862d8470a8531d9719af07bd75379df2ca29e373604fb32cb
ssdeep 3072:ERNwmyBvqZKFkVfhJnEFbDcazPQLTnVy8JR6Ylb3uQ0PQNIfFrCGdDlBXZuZpZfB:bWrjgA
Entropy 5.360335
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
517faa4a06... Created_By 84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb
Description

This file contains output from the debugging routine in onedrv.exe (84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb).

91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b

Tags

information-stealer

Details
Name onedrv.ini
Size 1088 bytes
Type data
MD5 a0ab6d3e643d4dd51ee6ae9079b175a4
SHA1 f179fcc4c41ca5cb443551f88a1074d5176d33f4
SHA256 91a8b31c126a021f5c156742016acdcca7d83eac4b583bae5d4fd0a85a96813b
SHA512 237baa401e0c52ca816cebafa5abf088e9a757f4da452e97210a1fe8eda8c0adc67aa19cacd662dcc98f5bd355d679fb096ff4e97cd54e16c199c66946d65a5e
ssdeep 24:olkc5V0yhsd/AFvaPo3b6EJ2ITY9UI62JPld5oKLeWb6l+vTI:olkq0yK/Ata5EJ2I5nOTvTI
Entropy 7.824751
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
91a8b31c12... Used_By 84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb
Description

This artifact is the encrypted configuration file for the OneDriveClient module contained in the file ondrv.exe (84164e1e8074c2565d3cd178babd93694ce54811641a77ffdc8d1084dd468afb). The data is decrypted using the hard-coded key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’.

The file contains paths to two archives targeted by the attacker. The file includes the IP address of the server, stolen credential information, and a key to encrypt the uploaded data. NOTE: The decrypted configuration contains confidential client information and therefore is not included in this report.

In addition, the data contains a refresh token for an OAuth client for Microsoft Azure with the Client ID of ‘7a3b4b84-ed28-4f18-b30d-218788c74a5f’. Speed and compression information as well as times that the OneDrive share can be accessed are also included in the configuration.

157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656

Tags

information-stealerobfuscatedtrojanuploader

Details
Name ntstatus.exe
Size 6656 bytes
Type PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5 c435d133b45783cce91a5d4e4fbe3f52
SHA1 9ddfa0669358bc19a166a41fd93cec5a3c88205d
SHA256 157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656
SHA512 e4d43dc23ff78f55bc857608fa33691eb7fb3e132332660b46460e7e7512104bc22484489d3d0fbd136270de9f7060641505ad2854cefd50b31ca6bb31b2ae18
ssdeep 96:nPbVkB7jiZStZC+01RPmaUrfzvDwiFMCnd+taflUTsqzNt:nPbqFiwW+g5maMzDwQMCQwmT
Entropy 4.921630
Antivirus
Adaware Gen:Variant.Tedy.82790
Bitdefender Gen:Variant.Tedy.82790
ESET a variant of MSIL/Agent.VOV trojan
McAfee Generic trojan.ri
NETGATE Malware.Generic
Symantec Process timed out
YARA Rules
  • rule CISA_10365227_01 : APPSTORAGE
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10365227"
           Date = "2021-12-23"
           Last_Modified = "20211224_1200"
           Actor = "n/a"
           Category = "n/a"
           Family = "APPSTORAGE"
           Description = "Detects AppStorage_ntstatus_msexch samples"
           MD5_1 = "c435d133b45783cce91a5d4e4fbe3f52"
           SHA256_1 = "157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656"
           MD5_2 = "baa634fdd2b34956524b5519ee97b8a8"
           SHA256_2 = "30191b3badf3cdbc65d0ffeb68e0f26cef10a41037351b0f562ab52fce7432cc"
       strings:
           $s1 = "026B924DD52F8BE4A3FEE8575DC"
           $s2 = "GetHDDId"
           $s3 = "AppStorage"
           $s4 = "AppDomain"
           $s5 = "$1e3e5580-d264-4c30-89c9-8933c948582c"
           $s6 = "hrjio2mfsdlf235d" wide
       condition:
           uint16(0) == 0x5a4d and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2101-07-23 04:43:10-04:00
Internal Name AppStorage.exe
Original Filename AppStorage.exe
Product Version 1.0.0.0
PE Sections
MD5 Name Raw Size Entropy
3994632889cebeff28c360da22c696f3 header 512 2.255013
bec2cac9d419ae07e526a03c4a94cb64 .text 4608 5.307382
0551c676439e5d812cb2bab3f2060c1b .rsrc 1536 3.934855
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
157a0ffd18... Related_To b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6
157a0ffd18... Dropped 1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
157a0ffd18... Related_To 0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb
Description

This artifact is an obfuscated .NET executable that is used to decode a variant of the CovalentStealer malware. When executed, the program will check the present name of the program and then look in the current directory for a file with the same name and a .bin extension, e.g. ntstatus.bin (b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6).

The program seeks to generate a key called ‘HDDId’ to decode ntstatus.bin. The embedded string ‘hrjio2mfsdlf235d’ is used to decode instructions within the program to generate the key (See Figure 3). The first command identifies the machineName of the system. The second command reads the Windows Management Instrumentation (WMI) namespace root/cimv2 to locate the volumeserialnumber of the current drive. Both variables are then modified using an exclusive OR (XOR) routine and the same string above is used to generate the key (See Figure 4). The first part of the key is generated from the volumeserialnumber, and during analysis resolved to ‘76D55BD2’. The machineName resolved to ‘F3124EDD’ creating the key ‘76D55BD2F3124EDD’ (See Figure 5). Note: The key is an example.

To generate the correct key the machineName and volumeserialnumber must match the victim’s system, otherwise it fails to decode ntstatus.bin and the program will terminate. This method is used to thwart independent analysis of the file, ntstatus.bin.

Screenshots
Figure 3 - Screenshot of the XOR routine using the string 'hrjio2mfsdlf235d'.

Figure 3 - Screenshot of the XOR routine using the string 'hrjio2mfsdlf235d'.

Figure 4 - The program collects the machineName and volumeserialnumber to generate the HDDId key.

Figure 4 - The program collects the machineName and volumeserialnumber to generate the HDDId key.

Figure 5 - This is the generated HDDId key used to decode ntstatus.bin

Figure 5 - This is the generated HDDId key used to decode ntstatus.bin

b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6

Tags

information-stealerobfuscateduploader

Details
Name ntstatus.bin
Size 1834496 bytes
Type data
MD5 d5a7b90177cdf81c2e1de40dc834d764
SHA1 d5dee0a05101cf9ed3c3ca76cf01f518c3ef922c
SHA256 b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6
SHA512 cfccd6701a69047c7de246601d2cd41cdc87d314bdcf070778938dad22e3bf5911d3beca0d75379dabdda1ad3c229c3bec329b840f5e4828c8bab41c1cdff159
ssdeep 24576:vsGNL+Kei7j3iTeG0fYHTlyAUoFwZJuaEh68w8To7FgunNZG10guctbAgYMEc+1B:DNb7dEh68E72O4hEVF
Entropy 6.681125
Antivirus
Symantec Unavailable (production)
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
b03ac5eaf2... Related_To 157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656
b03ac5eaf2... Contains 1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
Description

This is an obfuscated version of CovalentStealer malware. The file is decoded by ntstatus.exe (157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656) using the key '76D55BD2F3124EDD'. The decoded file is called result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da) and is detailed in this report.

1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da

Tags

information-stealeruploader

Details
Name result.exe
Size 1834496 bytes
Type PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5 27a0ba098b8403570c7b1e0863c2d6c5
SHA1 22cb98b9548ffd1010b2799a791ef42b8943f3c9
SHA256 1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
SHA512 7eb71e11947a762d8a9a396de21d6b704f8021acc0ddfc7a959897569d429f3347c9bd1c3206703375d09a81defd3d1f9bba0ea137157d8546b862ded030c4c2
ssdeep 49152:F2f6rfgMSneK065JlYaDmxZF5ax00MSMoOKiYyBg9FzfJNFL5QPWES2s1B+dBrSY:F2f6rfgMSneK065JlYaDmxZF5ax00MSt
Entropy 5.579937
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches
97 d221ca9c519ae04c7724baca8d36c2ce77454e0f9aa0f119ecfa9246973a92f8
PE Metadata
Compile Date 2021-10-19 20:19:25-04:00
Import Hash f34d5f2d4577ed6d9ceec516c1f5a744
Internal Name ClientUploader.exe
Original Filename ClientUploader.exe
Product Version 1.0.0.0
PE Sections
MD5 Name Raw Size Entropy
8a2ac318e59571d7c72221d67498bd5f header 512 2.722440
be70af56c305ef153e32ecc2430d4d8a .text 1831936 5.581972
5488f249cf62feed84546911d54f96f2 .rsrc 1536 3.971470
f80d2b416a07808182a35c49f6967d8f .reloc 512 0.101910
Relationships
1352dbb093... Created 5ba0d0bfda372c1f6aa382a70f4ab8427ec998b680510e208fdf878cfda9afe3
1352dbb093... Created 0b7d15968d44710b3e7f153c04b5038d03900a6685643bc8efe688c4d5a5deab
1352dbb093... Used da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df
1352dbb093... Dropped_By 157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656
1352dbb093... Created 0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb
1352dbb093... Contained_Within b03ac5eaf2131060ee381e5e46ebc705d8d617a90cc61fa4918174545b4fbaa6
Description

This artifact has been identified as CovalentStealer malware. When the program is executed it will decrypt and read the configuration file ntstatus.ini (da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df) in the current directory. It uses the hard-coded AES-256-CBC key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’ to decrypt the file. The configuration file will include a path to the directory containing the targeted files, compression parameters, and connection parameters for connecting to a system on the Internet to upload data.

The malware has several primary modules. The module IFileWorker contains the following functions:

---Begin IFileWorker Functions---
Brotli. – This function contains the Brotli compression library to compress and decompress files.
ContainersFilesWorker. – This function keeps track of uploaded files. It compares the files to a hash list for the file and path before uploading and also compares them to a whitelist and a blacklist by file extension. It also logs the status of each file in the upload process.
Extension. – This function checks the file extension to determine if the file needs to be compressed.
File Archive. – This function verifies the size of the file and disposition before compressing the file.
FileBlock. – This function converts the file data into a byte stream.
FileContainers. – This function segregates files by file type based on the extension.
GZip. – This function contains the Gzip compression library to compress and decompress files.
Logger. – This function logs debug status messages and telemetry data from other functions and outputs them to a file using the base name and the .dat extension, e.g. ntstatus.dat (See Figure 6).
WhiteAndBlackList. – This function maintains a list of files by name and a list of files by extension that match the whitelist or blacklist from the configuration file.
---End IFileWorker Functions---

Note: The actor utilized this code from the open source project IFileWorker.

The module OneDriveClient contains the following functions:

---Begin OneDriveClient Functions---
OneDrive. – This function uploads files to a Uniform Resource Locator (URL). It configures speed, buffer size, time, etc. based on the parameters in the configuration file, ntstatus.ini. Then, it reports the status of each file to the IFileWorker.Logger function. The following are examples of the OneDrive commands:

    ---Begin OneDrive Commands---
    OneDriveClient.OneDriveChannel+<Send>
    OneDriveClient.OneDrive+<GetAccessToken>
    OneDriveClient.OneDrive+<UploadData>
    OneDriveClient.OneDrive+<UploadFile>
    OneDriveClient.OneDrive+<UploadLargeFile>
    OneDriveClient.OneDrive+<GetUploadUrl>
    OneDriveClient.OneDrive+<UploadPartWithStopwatch>
    OneDriveClient.OneDrive+<UploadPart>
    OneDriveClient.OneDrive+<UploadSmallFileWithStopWatch>
    OneDriveClient.OneDrive+<UploadSmallFile>
    ---End OneDriveClient Functions---

OneDriveChannel. – This function establishes the connection to the server.
OneDriveChannelSettings. – This function reads the ClientID, Redirect, Refresh Token, and Scopes from the configuration file, ntstatus.ini to negotiate the connection to the client.
UploadedFiles. – This function logs the hash and the file path of the uploaded files and records the information into two files where ntstatus.log contains a list of file hashes and ntstatus_temp.log contains a list of file path hashes (See Figure 7).
---End OneDriveClient Functions---

The program also contains supporting libraries for the SMB protocol versions 2 and 3. The libraries have the capacity to maintain a list of IP addresses, logins, domainNames, passwords, and SMB clients that can be used to attempt to search for and log into SMB file stores. Files can be searched by file path, file status (e.g., open or closed), and file attributes (e.g. shared, read only, etc.).

Screenshots
Figure 6 - The IFileWorker.Logger function is used to generate the log file for debug and telemetry data.

Figure 6 - The IFileWorker.Logger function is used to generate the log file for debug and telemetry data.

Figure 7 - The OneDriveClient.UploadedFiles function records MD5 hashes of uploaded files into the file ntstatus.log and MD5 hashes of the file paths into the file ntstatus_temp.log.

Figure 7 - The OneDriveClient.UploadedFiles function records MD5 hashes of uploaded files into the file ntstatus.log and MD5 hashes of the file paths into the file ntstatus_temp.log.

da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df

Tags

information-stealeruploader

Details
Name ntstatus.ini
Size 3392 bytes
Type data
MD5 b1a7c2ae593e814cfecdcff709b02615
SHA1 ababa956175b2ddae7ec92162a8464b40b79064a
SHA256 da267c72f58ec487761de99d0f3bcfd87771a36afc06716053960633a74139df
SHA512 f511508878f821f80f10d387a60c7bab14c7384cd4ce0a68c73b0331d13d4b716805e3a53794ef0def0062d08eea489ef6239c53c2fa2d7f1c3478aba7e204b1
ssdeep 96:m74SD0f7Z2wXZ/BFmcktZdsczgmwL1COPP8yeTY4l9N:s4SDA73Zqlt7gmYQEUyMY4jN
Entropy 7.948675
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
da267c72f5... Used_By 1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
Description

This artifact is the encrypted configuration file for the OneDriveClient module contained in the file result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da) detailed in this report. The data is decrypted using the hard-coded AES-256-CBC key ‘M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h’. The algorithm uses an IV that is derived from the first half of the encryption key (See Figure 8).

The file contains multiple paths to archives targeted by the attacker. The file includes the IP address of the server, stolen credential information, and a key to encrypt the uploaded data. NOTE: The decrypted configuration contains confidential client information and therefore is not included in this report.

In addition, the data contains a refresh token for an OAuth client for Microsoft Azure with the Client ID of ‘7a3b4b84-ed28-4f18-b30d-218788c74a5f’. Speed and compression information as well as times that the OneDrive share can be accessed are also included in the configuration.

Screenshots
Figure 8 - This is the AES encryption routine. The routine uses the hard-coded string 'M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h' as the AES key and the first half of the key as the IV.

Figure 8 - This is the AES encryption routine. The routine uses the hard-coded string 'M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h' as the AES key and the first half of the key as the IV.

0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb

Details
Name ntstatus.bat
Size 91 bytes
Type ASCII text, with CRLF line terminators
MD5 d287a50bd0b95d1f153dc071d43e45d3
SHA1 cf1d9da39f4847ee735d46157232585068387763
SHA256 0b01f392fa030be1ddd549fb79cf280d2a2c745578a56fedd4cb5e9438ae72cb
SHA512 1507fd6f41c853f84b7b036280ac6c21556ce5cf10b4008c2902020291255b5bb55e63ebda9921032fd8ebf7f9fd8fffbb7de40e696601bee1486a6155b2a5ed
ssdeep 3:nlKsoFDLAdAIvVNIGfMMAyIJooORKQExLAdAn:n25ABvoGfdICFRZENAC
Entropy 4.579538
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
0b01f392fa... Created_By 1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
0b01f392fa... Related_To 157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656
Description

This artifact is a batch file (.bat) that terminates the current process of ntstatus.exe (157a0ffd18e05bfd90a4ec108e5458cbde01015e3407b3964732c9d4ceb71656). It then changes to the directory C:\windows\modemlogs\ and invokes a new instance of ntstatus.exe.

5ba0d0bfda372c1f6aa382a70f4ab8427ec998b680510e208fdf878cfda9afe3

Details
Name ntstatus.log
Size 17520 bytes
Type data
MD5 5753ddd324c2054718252c834d93aac9
SHA1 a2e852b0d911ced7011a7b954fc379c0d0564fc5
SHA256 5ba0d0bfda372c1f6aa382a70f4ab8427ec998b680510e208fdf878cfda9afe3
SHA512 c326d682fdad505f414bbbbbbcd219d40f8f9948c40ffcfd28a5ac5d9cfec647d5f2712ea23eb79bfafd19edfb49577a75f0f99c616abc444da62820eeee4dc6
ssdeep 384:VEiJb1Xwe87kARzd/CT74lZzRdNKHa7QYopmafni+/5vFdIg:VONdKgVm8Qognie5vFdIg
Entropy 7.989546
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
5ba0d0bfda... Created_By 1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
Description

This artifact is a log file created by the OneDriveClient.UploadedFiles function contained in the file result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da). The file contains the MD5 hash of each file that has been uploaded to the remote server.

0b7d15968d44710b3e7f153c04b5038d03900a6685643bc8efe688c4d5a5deab

Details
Name ntstatus_temp.log
Size 17520 bytes
Type data
MD5 adfac9c5ef66c21b85fde6503c025b58
SHA1 d7950ad0cc1798f2184be502fcb12bc0a6f27864
SHA256 0b7d15968d44710b3e7f153c04b5038d03900a6685643bc8efe688c4d5a5deab
SHA512 f14a0b26627b15f628a702deca3ec1696c518cdd05f70426d5a4631a8ec6ced60ab96bfdadcbb362c27932de9a95f4794656379a5512eac3774f84e569fe2671
ssdeep 384:gyf7wfPR70mHa7Kdghm5dnB9Yr+DLPim849pbm0NNzt0B1rzLw2nd:wBvKKdghAB9YreLPF84r1N5t0B1XT
Entropy 7.990357
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
0b7d15968d... Created_By 1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da
Description

This artifact is a log file created by the OneDriveClient.UploadedFiles function contained in the file result.exe (1352dbb093a337eb8db9d0135adbe0542bb7e7163616e4f8962919becab171da). The file contains the MD5 hash of the file path for each file that has been uploaded to the remote server.

3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350

Tags

downloaderinformation-stealertrojanuploader

Details
Name mqsvn.exe
Size 114688 bytes
Type PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5 63cf36ac25788e13b41b1eb6bfc0c6b6
SHA1 22ab6af92ddd984bd054c21799742a5e498e8453
SHA256 3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350
SHA512 52ecffb0004f5aee6f3a0c7e0edcbe1079845e20a712ac26854921dea9b46ece0d5f89698e833804ebdc9c3f525a8cc8c7a6d781b0caf3164b81cea17edae5c8
ssdeep 3072:KNcJNunM5p0TKWODtcT1hR3o92JoeEcfcEcKHWjUNSGdyRCOKFWc70OrZKqaJjLt:Kyf0M5p0TKWwcBhR3o92JoRcJhHMUNSz
Entropy 5.801283
Antivirus
IKARUS Trojan.MSIL.Crypt
YARA Rules
  • rule CISA_10365227_02 : ClientUploader
    {
       meta:
           Author = "CISA Code & Media Analysis"
           Incident = "10365227"
           Date = "2021-12-23"
           Last_Modified = "20211224_1200"
           Actor = "n/a"
           Category = "n/a"
           Family = "n/a"
           Description = "Detects ClientUploader_mqsvn"
           MD5_1 = "63cf36ac25788e13b41b1eb6bfc0c6b6"
           SHA256_1 = "3585c3136686d7d48e53c21be61bb2908d131cf81b826acf578b67bb9d8e9350"
       strings:
           $s1 = "UploadSmallFileWithStopWatch"
           $s2 = "UploadPartWithStopwatch"
           $s3 = "AppVClient"
           $s4 = "ClientUploader"
           $s5 = { 46 69 6C 65 43 6F 6E 74 61 69 6E 65 72 2E 46 69 6C 65 41 72 63 68 69 76 65 }
           $s6 = { 4F 6E 65 44 72 69 76 65 43 6C 69 65 6E 74 2E 4F 6E 65 44 72 69 76 65 }
       condition:
           uint16(0) == 0x5a4d and all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2021-06-30 15:10:41-04:00
Company Name Microsoft Corporation
File Description AppVClient.exe
Internal Name None
Legal Copyright © Microsoft Corporation. All rights reserved.
Original Filename None
Product Name AppVClient.exe
Product Version 10.0.19041.84
PE Sections
MD5 Name Raw Size Entropy
bdd5c1c64355001493f1f48cc64646a3 header 512 2.279615
204dc02c928d7206969d5e40f4ed4de4 .text 112640 5.814718
c574847bfb2e8be8830c3d846238d2d6 .rsrc 1536 4.261328
Packers/Compilers/Cryptors
Microsoft Visual C++ v6.0
Relationships
3585c31366... Used 25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2
3585c31366... Created 603e75db59285734cfb5a469e984c4e359e660ccb7836ff9c209aec36931bc2b
Description

This artifact is a variant of CovalentStealer malware. The program is a file management system that is capable of uploading files to the Internet.

This variant of CovalentStealer malware contains two main modules, FileContainer and OneDriveClient, with the following functions:

---Begin Functions---
ClientUploader.Program<Main>
FileContainer.FileArchive<Add>
FileContainer.FileStorage<GetData>
OneDriveClient.OneDriveChannel<Send>
OneDriveClient.OneDrive<GetAccessToken>
OneDriveClient.OneDrive<UploadData>
OneDriveClient.OneDrive<UploadFile>
OneDriveClient.OneDrive<UploadLargeFile>
OneDriveClient.OneDrive<GetUploadUrl>
OneDriveClient.OneDrive<UploadPartWithStopwatch>
OneDriveClient.OneDrive<UploadPart>
OneDriveClient.OneDrive<UploadSmallFileWithStopWatch>
OneDriveClient.OneDrive<UploadSmallFile>
---End Functions---

The FileContainer module is used to enumerate and categorize files on the system. This module is capable of generating an MD5 hash of each file and compressing files using the Gzip or Brotli algorithms. The OneDriveClient module is used to upload files to a Microsoft Azure server on the Internet.

The program will look for a configuration file with the same name as the application and the .ini extension, e.g. mqsvn.ini (25afc6741abfa27f5b50844331772466182ebe3f74bc84f911314d1a68c62cb2). Alternatively, if this file is not found it will look for the file ‘config.ini’ (See Figure 9).

The configuration file is decoded using the AES-256-CBC key M(xcHq88q[s=pc7^+u_Gb_}JC%QQwP:h that is derived from the de-serialized string TSh4Y0hxODhxW3M9cGM3Xit1X0diX31KQyVRUXdQOmg= embedded in the file. The first 16 bytes of the key are then used as an IV (See Figure 8 above).

Other strings were de-serialized to provide additional parameters for the malware program. For example, the string LmJtcDsuanBnOy5qcGVnOy50aWZmOy50AWV7LnBuZw== decoded to a block list of files that the program is supposed to skip containing the extensions ‘.bmp;.jpg;.jpeg;.tiff;.tif;.png’ and the string LmRvY3g7Lnhsc3g7LnBwdHg= decoded to a list of file extensions that the program is supposed to compress before encrypting and exfiltrating. The extensions included ‘.docx;.xlsx;.pptx’ (See Figure 10).

The configuration file contains a refresh token for an OAuth client for Microsoft Azure as well as a ClientID. In addition, it contains a path to the files targeted for uploading, upload times, an encryption key to encrypt the files before uploading, and compression parameters.

Screenshots
Figure 9 - The ClientUploader program attempts to load a configuration file with an .ini extension from the current directory. The base64 encoded string 'Lmlua@==' represents the .ini extension.

Figure 9 - The ClientUploader program attempts to load a configuration file with an .ini extension from the current directory. The base64 encoded string 'Lmlua@==' represents the .ini extension.