1. Executive Summary A. Fingerprinting MD5: 425cf022932c7ace6542f18af4fbac2a SHA256: b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d VirusTotal Report: https://www.virustotal.com/gui/file/b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d/detection/f-b24ce8861d8d06d10d73e38c6fcc0c026a5c9529fda74927f85b4cfe022f7e1d-1668189288 B. Classification The AveMariaRat is a Remote Access Trojan that allow the attacker to connect and control the victim’s machine throught the using of a fake process and a reverse connection the its C&C server.
C. Behavioral Summary The AveMariaRat comes with a common technique that hide the exe malware using a fake Word icon, once launched the exe start some cmd that creates two distinct dll files.
1. Executive Summary A. Fingerprinting MD5: c5782ebad92661d4acfacaf4daa1fc52 SHA256: 1b82ac159d87162964a4eb61122bb411a35e748e135cc3b97ab39466e5827c7e VirusTotal Report: https://www.virustotal.com/gui/file/1b82ac159d87162964a4eb61122bb411a35e748e135cc3b97ab39466e5827c7e B. Classification PirateStealer is a new Info Stealer in the scene. Not much info is provided about this family and the sample is relatively new. No traces has been found on either Malware Bazaar or Malpedia. The sample will be submitted to aforementioned databases after this post.
C. Behavioral Summary The sample executes itself and checks for presence of Virtualized Environment by using registry information and disk drive identifiers.
Contents Disclamer Introduction ContiLeaks Zipped Locker Unzipped Locker backdoor.js Source Code Analysis: Locker Initialization Command Line Arguments Modifying the Code Searching for Files Cryptanalysis Source Code Analysis: Decryptor Cryptanalysis Performance Conclusion 1. Disclaimer I won’t be releasing/sharing exact complete source-code out of respect to the person because of whom this all was possible.