Malware Analysis and Triage Report : AveMaria RAT
From Opera to C2, real quick!
1. Executive Summary
A. Fingerprinting
- MD5:
425cf022932c7ace6542f18af4fbac2a
- SHA256:
b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d
- VirusTotal Report:
https://www.virustotal.com/gui/file/b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d/detection/f-b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d-1668189288
B. Classification
The AveMariaRat is a Remote Access Trojan that allow the attacker to connect and control the victim’s machine throught the using of a fake process and a reverse connection the its C&C server.
C. Behavioral Summary
The AveMariaRat comes with a common technique that hide the exe
malware using a fake Word icon, once launched the exe start some cmd
that creates two distinct dll
files.
nsExec.dll
and System.dll
saved in the temp folder C:\Users\<user>\AppData\Local\Temp\nsb436C.tmp
(the last folder is a pseudo random name that change every time the malware is lauched). The an C:\Program Files (x86)\internet explorer\ieinstal.exe
process is launched and probably injected with a shellcode using the Heaven’s Gate technique, this processc starts a connection with the C&C su1d.]nerdpol[.ovh
with IP 4.236.162.205
on port 2222
. Last the persistence, with the copy of the original malware in the local folder C:\Users\<user>\AppData\Local\Temp\Fadllers
and the Demiparadise.exe
name. More details are in the Static and Dynamic Analysis.
2. Static Analysis
Imports
Function Name | Suspicious |
---|---|
SetCurrentDirectoryW | Yes |
SearchPathW | Yes |
OpenProcessToken | Yes |
LookupPrivilegeValueW | Yes |
AdjustTokenPrivileges | Yes |
WritePrivateProfileStringW | Yes |
RegDeleteKeyW | Yes |
RegDeleteValueW | Yes |
RegCreateKeyExW | Yes |
RegSetValueExW | Yes |
RegEnumKeyW | Yes |
MoveFileW | Yes |
SetFileAttributesW | Yes |
RemoveDirectoryW | Yes |
GetTempFileNameW | Yes |
WriteFile | Yes |
MoveFileExW | Yes |
FindFirstFileW | Yes |
FindNextFileW | Yes |
DeleteFileW | Yes |
SHGetSpecialFolderLocation | Yes |
SHGetPathFromIDListW | Yes |
SHBrowseForFolderW | Yes |
SHGetFileInfoW | Yes |
SHFileOperationW | Yes |
SetFileSecurityW | Yes |
SetEnvironmentVariableW | Yes |
CreateProcessW | Yes |
GetExitCodeProcess | Yes |
ShellExecuteW | Yes |
CloseClipboard | Yes |
SetClipboardData | Yes |
EmptyClipboard | Yes |
OpenClipboard | Yes |
ExitWindowsEx | Yes |
SystemParametersInfoW | Yes |
IsWindowEnabled | |
SetWindowPos | |
GetWindowLongW | |
GetMessagePos | |
CallWindowProcW | |
IsWindowVisible | |
DispatchMessageW | |
PeekMessageW | |
EnableWindow | |
SendMessageW | |
DefWindowProcW | |
RegisterClassW | |
CreateWindowExW | |
DestroyWindow | |
ShowWindow | |
IsWindow | |
SetWindowLongW | |
FindWindowExW | |
SendMessageTimeoutW | |
SetForegroundWindow | |
WaitForSingleObject | |
GetDiskFreeSpaceW | |
LoadCursorW | |
GetPrivateProfileStringW | |
RegOpenKeyExW | |
RegEnumValueW | |
RegCloseKey | |
RegQueryValueExW | |
GetTickCount | |
GetWindowsDirectoryW | |
GetSystemDirectoryW | |
ExpandEnvironmentStringsW | |
GetSystemMetrics | |
GlobalLock | |
GlobalFree | |
GlobalAlloc | |
GlobalUnlock | |
CoTaskMemFree | |
GetFileAttributesW | |
GetFullPathNameW | |
GetFileSize | |
GetTempPathW | |
CopyFileW | |
CompareFileTime | |
CreateDirectoryW | |
CreateFileW | |
GetShortPathNameW | |
SetFileTime | |
SetFilePointer | |
ReadFile | |
FindClose | |
Sleep | |
GetCurrentProcess | |
ExitProcess | |
GetCommandLineW | |
CreateThread | |
PostQuitMessage | |
GetModuleFileNameW | |
GetProcAddress | |
GetModuleHandleA | |
FreeLibrary | |
LoadLibraryExW | |
GetModuleHandleW | |
GetLastError | |
GetVersion | |
SetErrorMode | |
lstrlenW | |
lstrcmpiA | |
lstrcpyA | |
lstrcpyW | |
lstrcatW | |
lstrcmpiW | |
CloseHandle | |
lstrcmpW | |
lstrcpynW | |
MulDiv | |
MultiByteToWideChar | |
lstrlenA | |
WideCharToMultiByte | |
GetSystemMenu | |
SetClassLongW | |
EnableMenuItem | |
GetSysColor | |
SetCursor | |
CheckDlgButton | |
LoadBitmapW | |
wsprintfW | |
ScreenToClient | |
GetWindowRect | |
SetDlgItemTextW | |
GetDlgItemTextW | |
MessageBoxIndirectW | |
CharPrevW | |
CharNextA | |
wsprintfA | |
GetDC | |
ReleaseDC | |
InvalidateRect | |
BeginPaint | |
GetClientRect | |
FillRect | |
EndDialog | |
GetClassInfoW | |
DialogBoxParamW | |
CharNextW | |
LoadImageW | |
SetTimer | |
SetWindowTextW | |
GetDlgItem | |
TrackPopupMenu | |
AppendMenuW | |
CreatePopupMenu | |
DrawTextW | |
EndPaint | |
CreateDialogParamW | |
SelectObject | |
SetBkMode | |
CreateFontIndirectW | |
SetTextColor | |
DeleteObject | |
GetDeviceCaps | |
CreateBrushIndirect | |
SetBkColor | |
ImageList_AddMasked | |
17 (DPA_DeleteAllPtrs) | |
ImageList_Destroy | |
ImageList_Create | |
OleUninitialize | |
OleInitialize | |
CoCreateInstance |
Strings
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.01</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInstZ
CLI (Version 3.1.46.914)
ZTC_T]"#++RctpetWx}tP9|1c%1=1x1!i)!!!!!!!=1x1!=1a1!=1x1%=1x1!i)!=1x1!8x?c$(
ZTC_T]"#++Gxcedp}P}}~r9x1!=x1!i !!!!!=1x1!i"!!!=1x1!i%!8a?c (
ZTC_T]"#++BteWx}tA~x
etc9x1c$=1x1 &$!1=1x1!=x1!8x?c"(
ZTC_T]"#++CtpuWx}t9x1c$=1x1c =1x1!i !!!!!=;x1!=1x1!8x?c"(
dbtc"#++Rp}}Fx
u~fAc~rP9x1c 1=x1!=x1!=1x1!=1x1!8(
Niedersachsen1
Braunschweig1
Radires1%0#
[email protected]+
$Bullede Fiberkufferten Differensens 0
220928204625Z
250927204625Z0
Niedersachsen1
Braunschweig1
Radires1%0#
[email protected]+
$Bullede Fiberkufferten Differensens 0
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
SeShutdownPrivilege
.tmp
~nsu
_?=
TEMP
\Temp
/D=
NCRC
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
@_Nb
.exe
open
%u.%u%s%s
\*.*
*?|<>/":
%s%S.dll
MS Shell Dlg
MS Shell Dlg
3. Dynamic Analysis
- Drive-by download using OneDrive
hxxps://onedrive[.]live[.]com/download?cid=5B98AB7755412578&resid=5B98AB7755412578%21133&authkey=ABR6EpLf8KEegO4
hxxps://fwnola[.]ch[.]files[.]1drv.com/y4mbQIvo9IGdCZsMfeI1BKgDAfT-HCtJzMD7x7ZuYBp8wDTE5j3SeQyLVMSV1Tb1Q5HRjJkjcMSVBAciV1HOJr28GUJbFFQkcBVr2xFOWZLKRXI4Sxzzm1FL-8mD3SdCHjf-S4GQxJsVFuWmsC37zBdMMn3Mfq8HvNTZDnG8g4KsO9isextGcJUf12F5qc3xPqE2tBTDD8WY44YMazBuL8oQQ/IsDmQaCLn176.pcz?download&psid=1
- C2 IP and port connection
su1d.nerdpol.ovh -> 20.171.84.250
- Additional child processes
PID: 7852, Command line: cmd.exe /c set /a "90^17"
PID: 8256, Command line: cmd.exe /c set /a "84^17"
PID: 8784, Command line: cmd.exe /c set /a "67^17"
PID: 9048, Command line: cmd.exe /c set /a "95^17"
PID: 2404, Command line: cmd.exe /c set /a "84^17"
PID: 5820, Command line: cmd.exe /c set /a "93^17"
PID: 5940, Command line: cmd.exe /c set /a "34^17"
PID: 3552, Command line: cmd.exe /c set /a "35^17"
PID: 3964, Command line: cmd.exe /c set /a "43^17"
PID: 4988, Command line: cmd.exe /c set /a "43^17"
PID: 5516, Command line: cmd.exe /c set /a "82^17"
PID: 7184, Command line: cmd.exe /c set /a "99^17"
PID: 7300, Command line: cmd.exe /c set /a "116^17"
PID: 8600, Command line: cmd.exe /c set /a "112^17"
PID: 6040, Command line: cmd.exe /c set /a "101^17"
PID: 4956, Command line: cmd.exe /c set /a "116^17"
PID: 1268, Command line: cmd.exe /c set /a "87^17"
PID: 6808, Command line: cmd.exe /c set /a "120^17"
PID: 6472, Command line: cmd.exe /c set /a "125^17"
PID: 2036, Command line: cmd.exe /c set /a "116^17"
PID: 540, Command line: cmd.exe /c set /a "80^17"
PID: 964, Command line: cmd.exe /c set /a "57^17"
PID: 4640, Command line: cmd.exe /c set /a "124^17"
PID: 2728, Command line: cmd.exe /c set /a "49^17"
PID: 4140, Command line: cmd.exe /c set /a "99^17"
PID: 3540, Command line: cmd.exe /c set /a "37^17"
PID: 536, Command line: cmd.exe /c set /a "49^17"
PID: 7092, Command line: cmd.exe /c set /a "61^17"
PID: 8232, Command line: cmd.exe /c set /a "49^17"
PID: 3060, Command line: cmd.exe /c set /a "120^17"
PID: 2948, Command line: cmd.exe /c set /a "49^17"
PID: 8576, Command line: cmd.exe /c set /a "33^17"
PID: 4908, Command line: cmd.exe /c set /a "105^17"
PID: 444, Command line: cmd.exe /c set /a "41^17"
PID: 8480, Command line: cmd.exe /c set /a "33^17"
PID: 7980, Command line: cmd.exe /c set /a "33^17"
PID: 2556, Command line: cmd.exe /c set /a "33^17"
PID: 6356, Command line: cmd.exe /c set /a "33^17"
PID: 8476, Command line: cmd.exe /c set /a "33^17"
PID: 9052, Command line: cmd.exe /c set /a "33^17"
PID: 5980, Command line: cmd.exe /c set /a "33^17"
PID: 4392, Command line: cmd.exe /c set /a "61^17"
PID: 7248, Command line: cmd.exe /c set /a "49^17"
PID: 7852, Command line: cmd.exe /c set /a "120^17"
PID: 2184, Command line: cmd.exe /c set /a "49^17"
PID: 7020, Command line: cmd.exe /c set /a "33^17"
PID: 4076, Command line: cmd.exe /c set /a "61^17"
PID: 9108, Command line: cmd.exe /c set /a "49^17"
PID: 7876, Command line: cmd.exe /c set /a "97^17"
PID: 3356, Command line: cmd.exe /c set /a "49^17"
PID: 6972, Command line: cmd.exe /c set /a "33^17"
PID: 4648, Command line: cmd.exe /c set /a "61^17"
PID: 6476, Command line: cmd.exe /c set /a "49^17"
PID: 9128, Command line: cmd.exe /c set /a "120^17"
PID: 8640, Command line: cmd.exe /c set /a "49^17"
PID: 8320, Command line: cmd.exe /c set /a "37^17"
PID: 8132, Command line: cmd.exe /c set /a "61^17"
PID: 1596, Command line: cmd.exe /c set /a "49^17"
PID: 2868, Command line: cmd.exe /c set /a "120^17"
PID: 3932, Command line: cmd.exe /c set /a "49^17"
PID: 6436, Command line: cmd.exe /c set /a "33^17"
PID: 6052, Command line: cmd.exe /c set /a "105^17"
PID: 4768, Command line: cmd.exe /c set /a "41^17"
PID: 6424, Command line: cmd.exe /c set /a "33^17"
PID: 3900, Command line: cmd.exe /c set /a "61^17"
PID: 3188, Command line: cmd.exe /c set /a "49^17"
PID: 884, Command line: cmd.exe /c set /a "120^17"
PID: 7124, Command line: cmd.exe /c set /a "49^17"
PID: 704, Command line: cmd.exe /c set /a "33^17"
PID: 1884, Command line: cmd.exe /c set /a "56^17"
PID: 4412, Command line: cmd.exe /c set /a "120^17"
PID: 436, Command line: cmd.exe /c set /a "63^17"
PID: 6536, Command line: cmd.exe /c set /a "99^17"
PID: 6852, Command line: cmd.exe /c set /a "36^17"
PID: 5008, Command line: cmd.exe /c set /a "40^17"
PID: 1960, Command line: cmd.exe /c set /a "90^17"
PID: 5024, Command line: cmd.exe /c set /a "84^17"
PID: 7148, Command line: cmd.exe /c set /a "67^17"
PID: 500, Command line: cmd.exe /c set /a "95^17"
PID: 6760, Command line: cmd.exe /c set /a "84^17"
PID: 7108, Command line: cmd.exe /c set /a "93^17"
PID: 4552, Command line: cmd.exe /c set /a "34^17"
PID: 7128, Command line: cmd.exe /c set /a "35^17"
PID: 5304, Command line: cmd.exe /c set /a "43^17"
PID: 2832, Command line: cmd.exe /c set /a "43^17"
PID: 6276, Command line: cmd.exe /c set /a "71^17"
PID: 8628, Command line: cmd.exe /c set /a "120^17"
PID: 3200, Command line: cmd.exe /c set /a "99^17"
PID: 2180, Command line: cmd.exe /c set /a "101^17"
PID: 8872, Command line: cmd.exe /c set /a "100^17"
PID: 4656, Command line: cmd.exe /c set /a "112^17"
PID: 8884, Command line: cmd.exe /c set /a "125^17"
PID: 8908, Command line: cmd.exe /c set /a "80^17"
PID: 6812, Command line: cmd.exe /c set /a "125^17"
PID: 8656, Command line: cmd.exe /c set /a "125^17"
PID: 7404, Command line: cmd.exe /c set /a "126^17"
PID: 4644, Command line: cmd.exe /c set /a "114^17"
PID: 5688, Command line: cmd.exe /c set /a "57^17"
PID: 3456, Command line: cmd.exe /c set /a "120^17"
PID: 6540, Command line: cmd.exe /c set /a "49^17"
PID: 8692, Command line: cmd.exe /c set /a "33^17"
PID: 8496, Command line: cmd.exe /c set /a "61^17"
PID: 6300, Command line: cmd.exe /c set /a "120^17"
PID: 9084, Command line: cmd.exe /c set /a "49^17"
PID: 4144, Command line: cmd.exe /c set /a "33^17"
PID: 8792, Command line: cmd.exe /c set /a "105^17"
PID: 2092, Command line: cmd.exe /c set /a "32^17"
PID: 7236, Command line: cmd.exe /c set /a "33^17"
PID: 8992, Command line: cmd.exe /c set /a "33^17"
PID: 6456, Command line: cmd.exe /c set /a "33^17"
PID: 4872, Command line: cmd.exe /c set /a "33^17"
PID: 8368, Command line: cmd.exe /c set /a "33^17"
PID: 5328, Command line: cmd.exe /c set /a "61^17"
PID: 3584, Command line: cmd.exe /c set /a "49^17"
PID: 8812, Command line: cmd.exe /c set /a "120^17"
PID: 8400, Command line: cmd.exe /c set /a "49^17"
PID: 8624, Command line: cmd.exe /c set /a "33^17"
PID: 8888, Command line: cmd.exe /c set /a "105^17"
PID: 9196, Command line: cmd.exe /c set /a "34^17"
PID: 3528, Command line: cmd.exe /c set /a "33^17"
PID: 4896, Command line: cmd.exe /c set /a "33^17"
PID: 3444, Command line: cmd.exe /c set /a "33^17"
PID: 3272, Command line: cmd.exe /c set /a "61^17"
PID: 5124, Command line: cmd.exe /c set /a "49^17"
PID: 2000, Command line: cmd.exe /c set /a "120^17"
PID: 7640, Command line: cmd.exe /c set /a "49^17"
PID: 7056, Command line: cmd.exe /c set /a "33^17"
PID: 520, Command line: cmd.exe /c set /a "105^17"
PID: 1272, Command line: cmd.exe /c set /a "37^17"
PID: 7832, Command line: cmd.exe /c set /a "33^17"
PID: 8384, Command line: cmd.exe /c set /a "56^17"
PID: 564, Command line: cmd.exe /c set /a "97^17"
PID: 5232, Command line: cmd.exe /c set /a "63^17"
PID: 7760, Command line: cmd.exe /c set /a "99^17"
PID: 4036, Command line: cmd.exe /c set /a "32^17"
PID: 8824, Command line: cmd.exe /c set /a "40^17"
PID: 5244, Command line: cmd.exe /c set /a "90^17"
PID: 8224, Command line: cmd.exe /c set /a "84^17"
PID: 2112, Command line: cmd.exe /c set /a "67^17"
PID: 6692, Command line: cmd.exe /c set /a "95^17"
PID: 8996, Command line: cmd.exe /c set /a "84^17"
PID: 740, Command line: cmd.exe /c set /a "93^17"
PID: 8744, Command line: cmd.exe /c set /a "34^17"
PID: 4596, Command line: cmd.exe /c set /a "35^17"
PID: 8272, Command line: cmd.exe /c set /a "43^17"
PID: 8136, Command line: cmd.exe /c set /a "43^17"
PID: 1140, Command line: cmd.exe /c set /a "66^17"
PID: 8800, Command line: cmd.exe /c set /a "116^17"
PID: 1972, Command line: cmd.exe /c set /a "101^17"
PID: 7160, Command line: cmd.exe /c set /a "87^17"
PID: 7500, Command line: cmd.exe /c set /a "120^17"
PID: 3756, Command line: cmd.exe /c set /a "125^17"
PID: 6116, Command line: cmd.exe /c set /a "116^17"
PID: 8596, Command line: cmd.exe /c set /a "65^17"
PID: 9200, Command line: cmd.exe /c set /a "126^17"
PID: 7092, Command line: cmd.exe /c set /a "120^17"
PID: 9008, Command line: cmd.exe /c set /a "127^17"
PID: 3060, Command line: cmd.exe /c set /a "101^17"
PID: 2948, Command line: cmd.exe /c set /a "116^17"
PID: 8720, Command line: cmd.exe /c set /a "99^17"
PID: 8308, Command line: cmd.exe /c set /a "57^17"
PID: 444, Command line: cmd.exe /c set /a "120^17"
PID: 8480, Command line: cmd.exe /c set /a "49^17"
PID: 5740, Command line: cmd.exe /c set /a "99^17"
PID: 8680, Command line: cmd.exe /c set /a "36^17"
PID: 6440, Command line: cmd.exe /c set /a "61^17"
PID: 7488, Command line: cmd.exe /c set /a "49^17"
PID: 5076, Command line: cmd.exe /c set /a "120^17"
PID: 2080, Command line: cmd.exe /c set /a "49^17"
PID: 7280, Command line: cmd.exe /c set /a "32^17"
PID: 7724, Command line: cmd.exe /c set /a "38^17"
PID: 2764, Command line: cmd.exe /c set /a "36^17"
PID: 8676, Command line: cmd.exe /c set /a "33^17"
PID: 8424, Command line: cmd.exe /c set /a "49^17"
PID: 8196, Command line: cmd.exe /c set /a "61^17"
PID: 712, Command line: cmd.exe /c set /a "49^17"
PID: 1740, Command line: cmd.exe /c set /a "120^17"
PID: 3360, Command line: cmd.exe /c set /a "49^17"
PID: 4264, Command line: cmd.exe /c set /a "33^17"
PID: 7004, Command line: cmd.exe /c set /a "61^17"
PID: 2480, Command line: cmd.exe /c set /a "120^17"
PID: 3668, Command line: cmd.exe /c set /a "49^17"
PID: 4444, Command line: cmd.exe /c set /a "33^17"
PID: 5224, Command line: cmd.exe /c set /a "56^17"
PID: 4600, Command line: cmd.exe /c set /a "120^17"
PID: 3340, Command line: cmd.exe /c set /a "63^17"
PID: 3040, Command line: cmd.exe /c set /a "99^17"
PID: 2312, Command line: cmd.exe /c set /a "34^17"
PID: 7624, Command line: cmd.exe /c set /a "40^17"
PID: 8916, Command line: cmd.exe /c set /a "90^17"
PID: 9168, Command line: cmd.exe /c set /a "84^17"
PID: 7412, Command line: cmd.exe /c set /a "67^17"
PID: 5324, Command line: cmd.exe /c set /a "95^17"
PID: 1292, Command line: cmd.exe /c set /a "84^17"
PID: 4400, Command line: cmd.exe /c set /a "93^17"
PID: 6796, Command line: cmd.exe /c set /a "34^17"
PID: 4652, Command line: cmd.exe /c set /a "35^17"
PID: 4940, Command line: cmd.exe /c set /a "43^17"
PID: 628, Command line: cmd.exe /c set /a "43^17"
PID: 6644, Command line: cmd.exe /c set /a "67^17"
PID: 6536, Command line: cmd.exe /c set /a "116^17"
PID: 6124, Command line: cmd.exe /c set /a "112^17"
PID: 5008, Command line: cmd.exe /c set /a "117^17"
PID: 1960, Command line: cmd.exe /c set /a "87^17"
PID: 4460, Command line: cmd.exe /c set /a "120^17"
PID: 2904, Command line: cmd.exe /c set /a "125^17"
PID: 5316, Command line: cmd.exe /c set /a "116^17"
PID: 7720, Command line: cmd.exe /c set /a "57^17"
PID: 7048, Command line: cmd.exe /c set /a "120^17"
PID: 1508, Command line: cmd.exe /c set /a "49^17"
PID: 5284, Command line: cmd.exe /c set /a "99^17"
PID: 716, Command line: cmd.exe /c set /a "36^17"
PID: 6184, Command line: cmd.exe /c set /a "61^17"
PID: 7088, Command line: cmd.exe /c set /a "49^17"
PID: 8684, Command line: cmd.exe /c set /a "120^17"
PID: 8256, Command line: cmd.exe /c set /a "49^17"
PID: 3032, Command line: cmd.exe /c set /a "99^17"
PID: 6128, Command line: cmd.exe /c set /a "32^17"
PID: 7476, Command line: cmd.exe /c set /a "61^17"
PID: 6492, Command line: cmd.exe /c set /a "49^17"
PID: 3928, Command line: cmd.exe /c set /a "120^17"
PID: 5144, Command line: cmd.exe /c set /a "49^17"
PID: 3964, Command line: cmd.exe /c set /a "33^17"
PID: 4988, Command line: cmd.exe /c set /a "105^17"
PID: 5516, Command line: cmd.exe /c set /a "32^17"
PID: 4620, Command line: cmd.exe /c set /a "33^17"
PID: 9072, Command line: cmd.exe /c set /a "33^17"
PID: 6756, Command line: cmd.exe /c set /a "33^17"
PID: 192, Command line: cmd.exe /c set /a "33^17"
PID: 2572, Command line: cmd.exe /c set /a "33^17"
PID: 3952, Command line: cmd.exe /c set /a "61^17"
PID: 5580, Command line: cmd.exe /c set /a "59^17"
PID: 6472, Command line: cmd.exe /c set /a "120^17"
PID: 7292, Command line: cmd.exe /c set /a "49^17"
PID: 7224, Command line: cmd.exe /c set /a "33^17"
PID: 4052, Command line: cmd.exe /c set /a "61^17"
PID: 5824, Command line: cmd.exe /c set /a "49^17"
PID: 2892, Command line: cmd.exe /c set /a "120^17"
PID: 7100, Command line: cmd.exe /c set /a "49^17"
PID: 8964, Command line: cmd.exe /c set /a "33^17"
PID: 6488, Command line: cmd.exe /c set /a "56^17"
PID: 3584, Command line: cmd.exe /c set /a "120^17"
PID: 8812, Command line: cmd.exe /c set /a "63^17"
PID: 8400, Command line: cmd.exe /c set /a "99^17"
PID: 9076, Command line: cmd.exe /c set /a "34^17"
PID: 6308, Command line: cmd.exe /c set /a "40^17"
PID: 6564, Command line: cmd.exe /c set /a "100^17"
PID: 7872, Command line: cmd.exe /c set /a "98^17"
PID: 456, Command line: cmd.exe /c set /a "116^17"
PID: 3444, Command line: cmd.exe /c set /a "99^17"
PID: 3272, Command line: cmd.exe /c set /a "34^17"
PID: 5124, Command line: cmd.exe /c set /a "35^17"
PID: 6944, Command line: cmd.exe /c set /a "43^17"
PID: 5304, Command line: cmd.exe /c set /a "43^17"
PID: 2832, Command line: cmd.exe /c set /a "82^17"
PID: 8892, Command line: cmd.exe /c set /a "112^17"
PID: 1272, Command line: cmd.exe /c set /a "125^17"
PID: 7832, Command line: cmd.exe /c set /a "125^17"
PID: 4876, Command line: cmd.exe /c set /a "70^17"
PID: 8072, Command line: cmd.exe /c set /a "120^17"
PID: 5232, Command line: cmd.exe /c set /a "127^17"
PID: 7684, Command line: cmd.exe /c set /a "117^17"
PID: 4036, Command line: cmd.exe /c set /a "126^17"
PID: 5620, Command line: cmd.exe /c set /a "102^17"
PID: 8592, Command line: cmd.exe /c set /a "65^17"
PID: 2392, Command line: cmd.exe /c set /a "99^17"
PID: 2484, Command line: cmd.exe /c set /a "126^17"
PID: 932, Command line: cmd.exe /c set /a "114^17"
PID: 8996, Command line: cmd.exe /c set /a "80^17"
PID: 4120, Command line: cmd.exe /c set /a "57^17"
PID: 8744, Command line: cmd.exe /c set /a "120^17"
PID: 6528, Command line: cmd.exe /c set /a "49^17"
PID: 5036, Command line: cmd.exe /c set /a "99^17"
PID: 2088, Command line: cmd.exe /c set /a "32^17"
PID: 6080, Command line: cmd.exe /c set /a "49^17"
PID: 9040, Command line: cmd.exe /c set /a "61^17"
PID: 732, Command line: cmd.exe /c set /a "120^17"
PID: 7236, Command line: cmd.exe /c set /a "49^17"
PID: 3900, Command line: cmd.exe /c set /a "33^17"
PID: 2744, Command line: cmd.exe /c set /a "61^17"
PID: 6428, Command line: cmd.exe /c set /a "120^17"
PID: 2780, Command line: cmd.exe /c set /a "49^17"
PID: 2576, Command line: cmd.exe /c set /a "33^17"
PID: 7748, Command line: cmd.exe /c set /a "61^17"
PID: 1560, Command line: cmd.exe /c set /a "49^17"
PID: 4564, Command line: cmd.exe /c set /a "120^17"
PID: 3448, Command line: cmd.exe /c set /a "49^17"
PID: 7060, Command line: cmd.exe /c set /a "33^17"
PID: 8888, Command line: cmd.exe /c set /a "61^17"
PID: 1384, Command line: cmd.exe /c set /a "49^17"
PID: 1284, Command line: cmd.exe /c set /a "120^17"
PID: 8500, Command line: cmd.exe /c set /a "49^17"
PID: 8952, Command line: cmd.exe /c set /a "33^17"
PID: 8928, Command line: cmd.exe /c set /a "56^17"
PID: 3536, Command line: cmd.exe /c set /a "40^17"
4. YARA Rules and IOCs
TYPE | Value | Details |
---|---|---|
URL | su1d[.]nerdpol[.]ovh | |
IP | 4[.]236[.]162[.]205 | |
exe | Demiparadise.exe | b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d |
dll | nsExec.dll | c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7 |
dll | System.dll | bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb |