Malware Analysis and Triage Report : AveMaria RAT

From Opera to C2, real quick!

1. Executive Summary

A. Fingerprinting

  1. MD5: 425cf022932c7ace6542f18af4fbac2a
  2. SHA256: b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d
  3. VirusTotal Report: https://www.virustotal.com/gui/file/b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d/detection/f-b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d-1668189288

B. Classification

The AveMariaRat is a Remote Access Trojan that allow the attacker to connect and control the victim’s machine throught the using of a fake process and a reverse connection the its C&C server.

C. Behavioral Summary

The AveMariaRat comes with a common technique that hide the exe malware using a fake Word icon, once launched the exe start some cmd that creates two distinct dll files. nsExec.dll and System.dll saved in the temp folder C:\Users\<user>\AppData\Local\Temp\nsb436C.tmp (the last folder is a pseudo random name that change every time the malware is lauched). The an C:\Program Files (x86)\internet explorer\ieinstal.exe process is launched and probably injected with a shellcode using the Heaven’s Gate technique, this processc starts a connection with the C&C su1d.]nerdpol[.ovh with IP 4.236.162.205 on port 2222. Last the persistence, with the copy of the original malware in the local folder C:\Users\<user>\AppData\Local\Temp\Fadllers and the Demiparadise.exe name. More details are in the Static and Dynamic Analysis.

2. Static Analysis

Imports

Function Name Suspicious
SetCurrentDirectoryW Yes
SearchPathW Yes
OpenProcessToken Yes
LookupPrivilegeValueW Yes
AdjustTokenPrivileges Yes
WritePrivateProfileStringW Yes
RegDeleteKeyW Yes
RegDeleteValueW Yes
RegCreateKeyExW Yes
RegSetValueExW Yes
RegEnumKeyW Yes
MoveFileW Yes
SetFileAttributesW Yes
RemoveDirectoryW Yes
GetTempFileNameW Yes
WriteFile Yes
MoveFileExW Yes
FindFirstFileW Yes
FindNextFileW Yes
DeleteFileW Yes
SHGetSpecialFolderLocation Yes
SHGetPathFromIDListW Yes
SHBrowseForFolderW Yes
SHGetFileInfoW Yes
SHFileOperationW Yes
SetFileSecurityW Yes
SetEnvironmentVariableW Yes
CreateProcessW Yes
GetExitCodeProcess Yes
ShellExecuteW Yes
CloseClipboard Yes
SetClipboardData Yes
EmptyClipboard Yes
OpenClipboard Yes
ExitWindowsEx Yes
SystemParametersInfoW Yes
IsWindowEnabled
SetWindowPos
GetWindowLongW
GetMessagePos
CallWindowProcW
IsWindowVisible
DispatchMessageW
PeekMessageW
EnableWindow
SendMessageW
DefWindowProcW
RegisterClassW
CreateWindowExW
DestroyWindow
ShowWindow
IsWindow
SetWindowLongW
FindWindowExW
SendMessageTimeoutW
SetForegroundWindow
WaitForSingleObject
GetDiskFreeSpaceW
LoadCursorW
GetPrivateProfileStringW
RegOpenKeyExW
RegEnumValueW
RegCloseKey
RegQueryValueExW
GetTickCount
GetWindowsDirectoryW
GetSystemDirectoryW
ExpandEnvironmentStringsW
GetSystemMetrics
GlobalLock
GlobalFree
GlobalAlloc
GlobalUnlock
CoTaskMemFree
GetFileAttributesW
GetFullPathNameW
GetFileSize
GetTempPathW
CopyFileW
CompareFileTime
CreateDirectoryW
CreateFileW
GetShortPathNameW
SetFileTime
SetFilePointer
ReadFile
FindClose
Sleep
GetCurrentProcess
ExitProcess
GetCommandLineW
CreateThread
PostQuitMessage
GetModuleFileNameW
GetProcAddress
GetModuleHandleA
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GetLastError
GetVersion
SetErrorMode
lstrlenW
lstrcmpiA
lstrcpyA
lstrcpyW
lstrcatW
lstrcmpiW
CloseHandle
lstrcmpW
lstrcpynW
MulDiv
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetSystemMenu
SetClassLongW
EnableMenuItem
GetSysColor
SetCursor
CheckDlgButton
LoadBitmapW
wsprintfW
ScreenToClient
GetWindowRect
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
GetDC
ReleaseDC
InvalidateRect
BeginPaint
GetClientRect
FillRect
EndDialog
GetClassInfoW
DialogBoxParamW
CharNextW
LoadImageW
SetTimer
SetWindowTextW
GetDlgItem
TrackPopupMenu
AppendMenuW
CreatePopupMenu
DrawTextW
EndPaint
CreateDialogParamW
SelectObject
SetBkMode
CreateFontIndirectW
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor
ImageList_AddMasked
17 (DPA_DeleteAllPtrs)
ImageList_Destroy
ImageList_Create
OleUninitialize
OleInitialize
CoCreateInstance

Strings

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.01</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

NullsoftInstZ

CLI (Version 3.1.46.914)

ZTC_T]"#++RctpetWx}tP9|1c%1=1x1!i)!!!!!!!=1x1!=1a1!=1x1%=1x1!i)!=1x1!8x?c$(
ZTC_T]"#++Gxcedp}P}}~r9x1!=x1!i !!!!!=1x1!i"!!!=1x1!i%!8a?c (
ZTC_T]"#++BteWx}tA~x
etc9x1c$=1x1 &$!1=1x1!=x1!8x?c"(
ZTC_T]"#++CtpuWx}t9x1c$=1x1c =1x1!i !!!!!=;x1!=1x1!8x?c"(
dbtc"#++Rp}}Fx
u~fAc~rP9x1c 1=x1!=x1!=1x1!=1x1!8(

Niedersachsen1
Braunschweig1
Radires1%0#
[email protected]+
$Bullede Fiberkufferten Differensens 0
220928204625Z
250927204625Z0
Niedersachsen1
Braunschweig1
Radires1%0#
[email protected]+
$Bullede Fiberkufferten Differensens 0
RichEdit
RichEdit20W
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
verifying installer: %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error

SeShutdownPrivilege
.tmp
~nsu
 _?=
TEMP
\Temp
 /D=
NCRC
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
@_Nb
.exe
open
%u.%u%s%s
\*.*
*?|<>/":
%s%S.dll
MS Shell Dlg
MS Shell Dlg

3. Dynamic Analysis

  • Drive-by download using OneDrive
hxxps://onedrive[.]live[.]com/download?cid=5B98AB7755412578&resid=5B98AB7755412578%21133&authkey=ABR6EpLf8KEegO4

hxxps://fwnola[.]ch[.]files[.]1drv.com/y4mbQIvo9IGdCZsMfeI1BKgDAfT-HCtJzMD7x7ZuYBp8wDTE5j3SeQyLVMSV1Tb1Q5HRjJkjcMSVBAciV1HOJr28GUJbFFQkcBVr2xFOWZLKRXI4Sxzzm1FL-8mD3SdCHjf-S4GQxJsVFuWmsC37zBdMMn3Mfq8HvNTZDnG8g4KsO9isextGcJUf12F5qc3xPqE2tBTDD8WY44YMazBuL8oQQ/IsDmQaCLn176.pcz?download&psid=1

  • C2 IP and port connection
su1d.nerdpol.ovh -> 20.171.84.250
  • Additional child processes
PID: 7852, Command line: cmd.exe /c set /a "90^17"
PID: 8256, Command line: cmd.exe /c set /a "84^17"
PID: 8784, Command line: cmd.exe /c set /a "67^17"
PID: 9048, Command line: cmd.exe /c set /a "95^17"
PID: 2404, Command line: cmd.exe /c set /a "84^17"
PID: 5820, Command line: cmd.exe /c set /a "93^17"
PID: 5940, Command line: cmd.exe /c set /a "34^17"
PID: 3552, Command line: cmd.exe /c set /a "35^17"
PID: 3964, Command line: cmd.exe /c set /a "43^17"
PID: 4988, Command line: cmd.exe /c set /a "43^17"
PID: 5516, Command line: cmd.exe /c set /a "82^17"
PID: 7184, Command line: cmd.exe /c set /a "99^17"
PID: 7300, Command line: cmd.exe /c set /a "116^17"
PID: 8600, Command line: cmd.exe /c set /a "112^17"
PID: 6040, Command line: cmd.exe /c set /a "101^17"
PID: 4956, Command line: cmd.exe /c set /a "116^17"
PID: 1268, Command line: cmd.exe /c set /a "87^17"
PID: 6808, Command line: cmd.exe /c set /a "120^17"
PID: 6472, Command line: cmd.exe /c set /a "125^17"
PID: 2036, Command line: cmd.exe /c set /a "116^17"
PID: 540,  Command line: cmd.exe /c set /a "80^17"
PID: 964,  Command line: cmd.exe /c set /a "57^17"
PID: 4640, Command line: cmd.exe /c set /a "124^17"
PID: 2728, Command line: cmd.exe /c set /a "49^17"
PID: 4140, Command line: cmd.exe /c set /a "99^17"
PID: 3540, Command line: cmd.exe /c set /a "37^17"
PID: 536,  Command line: cmd.exe /c set /a "49^17"
PID: 7092, Command line: cmd.exe /c set /a "61^17"
PID: 8232, Command line: cmd.exe /c set /a "49^17"
PID: 3060, Command line: cmd.exe /c set /a "120^17"
PID: 2948, Command line: cmd.exe /c set /a "49^17"
PID: 8576, Command line: cmd.exe /c set /a "33^17"
PID: 4908, Command line: cmd.exe /c set /a "105^17"
PID: 444,  Command line: cmd.exe /c set /a "41^17"
PID: 8480, Command line: cmd.exe /c set /a "33^17"
PID: 7980, Command line: cmd.exe /c set /a "33^17"
PID: 2556, Command line: cmd.exe /c set /a "33^17"
PID: 6356, Command line: cmd.exe /c set /a "33^17"
PID: 8476, Command line: cmd.exe /c set /a "33^17"
PID: 9052, Command line: cmd.exe /c set /a "33^17"
PID: 5980, Command line: cmd.exe /c set /a "33^17"
PID: 4392, Command line: cmd.exe /c set /a "61^17"
PID: 7248, Command line: cmd.exe /c set /a "49^17"
PID: 7852, Command line: cmd.exe /c set /a "120^17"
PID: 2184, Command line: cmd.exe /c set /a "49^17"
PID: 7020, Command line: cmd.exe /c set /a "33^17"
PID: 4076, Command line: cmd.exe /c set /a "61^17"
PID: 9108, Command line: cmd.exe /c set /a "49^17"
PID: 7876, Command line: cmd.exe /c set /a "97^17"
PID: 3356, Command line: cmd.exe /c set /a "49^17"
PID: 6972, Command line: cmd.exe /c set /a "33^17"
PID: 4648, Command line: cmd.exe /c set /a "61^17"
PID: 6476, Command line: cmd.exe /c set /a "49^17"
PID: 9128, Command line: cmd.exe /c set /a "120^17"
PID: 8640, Command line: cmd.exe /c set /a "49^17"
PID: 8320, Command line: cmd.exe /c set /a "37^17"
PID: 8132, Command line: cmd.exe /c set /a "61^17"
PID: 1596, Command line: cmd.exe /c set /a "49^17"
PID: 2868, Command line: cmd.exe /c set /a "120^17"
PID: 3932, Command line: cmd.exe /c set /a "49^17"
PID: 6436, Command line: cmd.exe /c set /a "33^17"
PID: 6052, Command line: cmd.exe /c set /a "105^17"
PID: 4768, Command line: cmd.exe /c set /a "41^17"
PID: 6424, Command line: cmd.exe /c set /a "33^17"
PID: 3900, Command line: cmd.exe /c set /a "61^17"
PID: 3188, Command line: cmd.exe /c set /a "49^17"
PID: 884,  Command line: cmd.exe /c set /a "120^17"
PID: 7124, Command line: cmd.exe /c set /a "49^17"
PID: 704,  Command line: cmd.exe /c set /a "33^17"
PID: 1884, Command line: cmd.exe /c set /a "56^17"
PID: 4412, Command line: cmd.exe /c set /a "120^17"
PID: 436,  Command line: cmd.exe /c set /a "63^17"
PID: 6536, Command line: cmd.exe /c set /a "99^17"
PID: 6852, Command line: cmd.exe /c set /a "36^17"
PID: 5008, Command line: cmd.exe /c set /a "40^17"
PID: 1960, Command line: cmd.exe /c set /a "90^17"
PID: 5024, Command line: cmd.exe /c set /a "84^17"
PID: 7148, Command line: cmd.exe /c set /a "67^17"
PID: 500,  Command line: cmd.exe /c set /a "95^17"
PID: 6760, Command line: cmd.exe /c set /a "84^17"
PID: 7108, Command line: cmd.exe /c set /a "93^17"
PID: 4552, Command line: cmd.exe /c set /a "34^17"
PID: 7128, Command line: cmd.exe /c set /a "35^17"
PID: 5304, Command line: cmd.exe /c set /a "43^17"
PID: 2832, Command line: cmd.exe /c set /a "43^17"
PID: 6276, Command line: cmd.exe /c set /a "71^17"
PID: 8628, Command line: cmd.exe /c set /a "120^17"
PID: 3200, Command line: cmd.exe /c set /a "99^17"
PID: 2180, Command line: cmd.exe /c set /a "101^17"
PID: 8872, Command line: cmd.exe /c set /a "100^17"
PID: 4656, Command line: cmd.exe /c set /a "112^17"
PID: 8884, Command line: cmd.exe /c set /a "125^17"
PID: 8908, Command line: cmd.exe /c set /a "80^17"
PID: 6812, Command line: cmd.exe /c set /a "125^17"
PID: 8656, Command line: cmd.exe /c set /a "125^17"
PID: 7404, Command line: cmd.exe /c set /a "126^17"
PID: 4644, Command line: cmd.exe /c set /a "114^17"
PID: 5688, Command line: cmd.exe /c set /a "57^17"
PID: 3456, Command line: cmd.exe /c set /a "120^17"
PID: 6540, Command line: cmd.exe /c set /a "49^17"
PID: 8692, Command line: cmd.exe /c set /a "33^17"
PID: 8496, Command line: cmd.exe /c set /a "61^17"
PID: 6300, Command line: cmd.exe /c set /a "120^17"
PID: 9084, Command line: cmd.exe /c set /a "49^17"
PID: 4144, Command line: cmd.exe /c set /a "33^17"
PID: 8792, Command line: cmd.exe /c set /a "105^17"
PID: 2092, Command line: cmd.exe /c set /a "32^17"
PID: 7236, Command line: cmd.exe /c set /a "33^17"
PID: 8992, Command line: cmd.exe /c set /a "33^17"
PID: 6456, Command line: cmd.exe /c set /a "33^17"
PID: 4872, Command line: cmd.exe /c set /a "33^17"
PID: 8368, Command line: cmd.exe /c set /a "33^17"
PID: 5328, Command line: cmd.exe /c set /a "61^17"
PID: 3584, Command line: cmd.exe /c set /a "49^17"
PID: 8812, Command line: cmd.exe /c set /a "120^17"
PID: 8400, Command line: cmd.exe /c set /a "49^17"
PID: 8624, Command line: cmd.exe /c set /a "33^17"
PID: 8888, Command line: cmd.exe /c set /a "105^17"
PID: 9196, Command line: cmd.exe /c set /a "34^17"
PID: 3528, Command line: cmd.exe /c set /a "33^17"
PID: 4896, Command line: cmd.exe /c set /a "33^17"
PID: 3444, Command line: cmd.exe /c set /a "33^17"
PID: 3272, Command line: cmd.exe /c set /a "61^17"
PID: 5124, Command line: cmd.exe /c set /a "49^17"
PID: 2000, Command line: cmd.exe /c set /a "120^17"
PID: 7640, Command line: cmd.exe /c set /a "49^17"
PID: 7056, Command line: cmd.exe /c set /a "33^17"
PID: 520,  Command line: cmd.exe /c set /a "105^17"
PID: 1272, Command line: cmd.exe /c set /a "37^17"
PID: 7832, Command line: cmd.exe /c set /a "33^17"
PID: 8384, Command line: cmd.exe /c set /a "56^17"
PID: 564,  Command line: cmd.exe /c set /a "97^17"
PID: 5232, Command line: cmd.exe /c set /a "63^17"
PID: 7760, Command line: cmd.exe /c set /a "99^17"
PID: 4036, Command line: cmd.exe /c set /a "32^17"
PID: 8824, Command line: cmd.exe /c set /a "40^17"
PID: 5244, Command line: cmd.exe /c set /a "90^17"
PID: 8224, Command line: cmd.exe /c set /a "84^17"
PID: 2112, Command line: cmd.exe /c set /a "67^17"
PID: 6692, Command line: cmd.exe /c set /a "95^17"
PID: 8996, Command line: cmd.exe /c set /a "84^17"
PID: 740,  Command line: cmd.exe /c set /a "93^17"
PID: 8744, Command line: cmd.exe /c set /a "34^17"
PID: 4596, Command line: cmd.exe /c set /a "35^17"
PID: 8272, Command line: cmd.exe /c set /a "43^17"
PID: 8136, Command line: cmd.exe /c set /a "43^17"
PID: 1140, Command line: cmd.exe /c set /a "66^17"
PID: 8800, Command line: cmd.exe /c set /a "116^17"
PID: 1972, Command line: cmd.exe /c set /a "101^17"
PID: 7160, Command line: cmd.exe /c set /a "87^17"
PID: 7500, Command line: cmd.exe /c set /a "120^17"
PID: 3756, Command line: cmd.exe /c set /a "125^17"
PID: 6116, Command line: cmd.exe /c set /a "116^17"
PID: 8596, Command line: cmd.exe /c set /a "65^17"
PID: 9200, Command line: cmd.exe /c set /a "126^17"
PID: 7092, Command line: cmd.exe /c set /a "120^17"
PID: 9008, Command line: cmd.exe /c set /a "127^17"
PID: 3060, Command line: cmd.exe /c set /a "101^17"
PID: 2948, Command line: cmd.exe /c set /a "116^17"
PID: 8720, Command line: cmd.exe /c set /a "99^17"
PID: 8308, Command line: cmd.exe /c set /a "57^17"
PID: 444,  Command line: cmd.exe /c set /a "120^17"
PID: 8480, Command line: cmd.exe /c set /a "49^17"
PID: 5740, Command line: cmd.exe /c set /a "99^17"
PID: 8680, Command line: cmd.exe /c set /a "36^17"
PID: 6440, Command line: cmd.exe /c set /a "61^17"
PID: 7488, Command line: cmd.exe /c set /a "49^17"
PID: 5076, Command line: cmd.exe /c set /a "120^17"
PID: 2080, Command line: cmd.exe /c set /a "49^17"
PID: 7280, Command line: cmd.exe /c set /a "32^17"
PID: 7724, Command line: cmd.exe /c set /a "38^17"
PID: 2764, Command line: cmd.exe /c set /a "36^17"
PID: 8676, Command line: cmd.exe /c set /a "33^17"
PID: 8424, Command line: cmd.exe /c set /a "49^17"
PID: 8196, Command line: cmd.exe /c set /a "61^17"
PID: 712,  Command line: cmd.exe /c set /a "49^17"
PID: 1740, Command line: cmd.exe /c set /a "120^17"
PID: 3360, Command line: cmd.exe /c set /a "49^17"
PID: 4264, Command line: cmd.exe /c set /a "33^17"
PID: 7004, Command line: cmd.exe /c set /a "61^17"
PID: 2480, Command line: cmd.exe /c set /a "120^17"
PID: 3668, Command line: cmd.exe /c set /a "49^17"
PID: 4444, Command line: cmd.exe /c set /a "33^17"
PID: 5224, Command line: cmd.exe /c set /a "56^17"
PID: 4600, Command line: cmd.exe /c set /a "120^17"
PID: 3340, Command line: cmd.exe /c set /a "63^17"
PID: 3040, Command line: cmd.exe /c set /a "99^17"
PID: 2312, Command line: cmd.exe /c set /a "34^17"
PID: 7624, Command line: cmd.exe /c set /a "40^17"
PID: 8916, Command line: cmd.exe /c set /a "90^17"
PID: 9168, Command line: cmd.exe /c set /a "84^17"
PID: 7412, Command line: cmd.exe /c set /a "67^17"
PID: 5324, Command line: cmd.exe /c set /a "95^17"
PID: 1292, Command line: cmd.exe /c set /a "84^17"
PID: 4400, Command line: cmd.exe /c set /a "93^17"
PID: 6796, Command line: cmd.exe /c set /a "34^17"
PID: 4652, Command line: cmd.exe /c set /a "35^17"
PID: 4940, Command line: cmd.exe /c set /a "43^17"
PID: 628,  Command line: cmd.exe /c set /a "43^17"
PID: 6644, Command line: cmd.exe /c set /a "67^17"
PID: 6536, Command line: cmd.exe /c set /a "116^17"
PID: 6124, Command line: cmd.exe /c set /a "112^17"
PID: 5008, Command line: cmd.exe /c set /a "117^17"
PID: 1960, Command line: cmd.exe /c set /a "87^17"
PID: 4460, Command line: cmd.exe /c set /a "120^17"
PID: 2904, Command line: cmd.exe /c set /a "125^17"
PID: 5316, Command line: cmd.exe /c set /a "116^17"
PID: 7720, Command line: cmd.exe /c set /a "57^17"
PID: 7048, Command line: cmd.exe /c set /a "120^17"
PID: 1508, Command line: cmd.exe /c set /a "49^17"
PID: 5284, Command line: cmd.exe /c set /a "99^17"
PID: 716,  Command line: cmd.exe /c set /a "36^17"
PID: 6184, Command line: cmd.exe /c set /a "61^17"
PID: 7088, Command line: cmd.exe /c set /a "49^17"
PID: 8684, Command line: cmd.exe /c set /a "120^17"
PID: 8256, Command line: cmd.exe /c set /a "49^17"
PID: 3032, Command line: cmd.exe /c set /a "99^17"
PID: 6128, Command line: cmd.exe /c set /a "32^17"
PID: 7476, Command line: cmd.exe /c set /a "61^17"
PID: 6492, Command line: cmd.exe /c set /a "49^17"
PID: 3928, Command line: cmd.exe /c set /a "120^17"
PID: 5144, Command line: cmd.exe /c set /a "49^17"
PID: 3964, Command line: cmd.exe /c set /a "33^17"
PID: 4988, Command line: cmd.exe /c set /a "105^17"
PID: 5516, Command line: cmd.exe /c set /a "32^17"
PID: 4620, Command line: cmd.exe /c set /a "33^17"
PID: 9072, Command line: cmd.exe /c set /a "33^17"
PID: 6756, Command line: cmd.exe /c set /a "33^17"
PID: 192,  Command line: cmd.exe /c set /a "33^17"
PID: 2572, Command line: cmd.exe /c set /a "33^17"
PID: 3952, Command line: cmd.exe /c set /a "61^17"
PID: 5580, Command line: cmd.exe /c set /a "59^17"
PID: 6472, Command line: cmd.exe /c set /a "120^17"
PID: 7292, Command line: cmd.exe /c set /a "49^17"
PID: 7224, Command line: cmd.exe /c set /a "33^17"
PID: 4052, Command line: cmd.exe /c set /a "61^17"
PID: 5824, Command line: cmd.exe /c set /a "49^17"
PID: 2892, Command line: cmd.exe /c set /a "120^17"
PID: 7100, Command line: cmd.exe /c set /a "49^17"
PID: 8964, Command line: cmd.exe /c set /a "33^17"
PID: 6488, Command line: cmd.exe /c set /a "56^17"
PID: 3584, Command line: cmd.exe /c set /a "120^17"
PID: 8812, Command line: cmd.exe /c set /a "63^17"
PID: 8400, Command line: cmd.exe /c set /a "99^17"
PID: 9076, Command line: cmd.exe /c set /a "34^17"
PID: 6308, Command line: cmd.exe /c set /a "40^17"
PID: 6564, Command line: cmd.exe /c set /a "100^17"
PID: 7872, Command line: cmd.exe /c set /a "98^17"
PID: 456,  Command line: cmd.exe /c set /a "116^17"
PID: 3444, Command line: cmd.exe /c set /a "99^17"
PID: 3272, Command line: cmd.exe /c set /a "34^17"
PID: 5124, Command line: cmd.exe /c set /a "35^17"
PID: 6944, Command line: cmd.exe /c set /a "43^17"
PID: 5304, Command line: cmd.exe /c set /a "43^17"
PID: 2832, Command line: cmd.exe /c set /a "82^17"
PID: 8892, Command line: cmd.exe /c set /a "112^17"
PID: 1272, Command line: cmd.exe /c set /a "125^17"
PID: 7832, Command line: cmd.exe /c set /a "125^17"
PID: 4876, Command line: cmd.exe /c set /a "70^17"
PID: 8072, Command line: cmd.exe /c set /a "120^17"
PID: 5232, Command line: cmd.exe /c set /a "127^17"
PID: 7684, Command line: cmd.exe /c set /a "117^17"
PID: 4036, Command line: cmd.exe /c set /a "126^17"
PID: 5620, Command line: cmd.exe /c set /a "102^17"
PID: 8592, Command line: cmd.exe /c set /a "65^17"
PID: 2392, Command line: cmd.exe /c set /a "99^17"
PID: 2484, Command line: cmd.exe /c set /a "126^17"
PID: 932,  Command line: cmd.exe /c set /a "114^17"
PID: 8996, Command line: cmd.exe /c set /a "80^17"
PID: 4120, Command line: cmd.exe /c set /a "57^17"
PID: 8744, Command line: cmd.exe /c set /a "120^17"
PID: 6528, Command line: cmd.exe /c set /a "49^17"
PID: 5036, Command line: cmd.exe /c set /a "99^17"
PID: 2088, Command line: cmd.exe /c set /a "32^17"
PID: 6080, Command line: cmd.exe /c set /a "49^17"
PID: 9040, Command line: cmd.exe /c set /a "61^17"
PID: 732,  Command line: cmd.exe /c set /a "120^17"
PID: 7236, Command line: cmd.exe /c set /a "49^17"
PID: 3900, Command line: cmd.exe /c set /a "33^17"
PID: 2744, Command line: cmd.exe /c set /a "61^17"
PID: 6428, Command line: cmd.exe /c set /a "120^17"
PID: 2780, Command line: cmd.exe /c set /a "49^17"
PID: 2576, Command line: cmd.exe /c set /a "33^17"
PID: 7748, Command line: cmd.exe /c set /a "61^17"
PID: 1560, Command line: cmd.exe /c set /a "49^17"
PID: 4564, Command line: cmd.exe /c set /a "120^17"
PID: 3448, Command line: cmd.exe /c set /a "49^17"
PID: 7060, Command line: cmd.exe /c set /a "33^17"
PID: 8888, Command line: cmd.exe /c set /a "61^17"
PID: 1384, Command line: cmd.exe /c set /a "49^17"
PID: 1284, Command line: cmd.exe /c set /a "120^17"
PID: 8500, Command line: cmd.exe /c set /a "49^17"
PID: 8952, Command line: cmd.exe /c set /a "33^17"
PID: 8928, Command line: cmd.exe /c set /a "56^17"
PID: 3536, Command line: cmd.exe /c set /a "40^17"

4. YARA Rules and IOCs

TYPE Value Details
URL su1d[.]nerdpol[.]ovh
IP 4[.]236[.]162[.]205
exe Demiparadise.exe b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d
dll nsExec.dll c4c6fe032f3cd8b31528d7b99661f85ee22cb78746aee98ec568431d4f5043f7
dll System.dll bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb
Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related