Sample: https://app.any.run/tasks/5032cab3-c41d-4f04-a1a7-930ca0ee0b09 Hash:d4cc124021b66445b5a8d1203d36e899
Next part of execution: https://app.any.run/tasks/73584f72-ddba-46e0-9661-5351186c659d Hash: a1987242a319ad25836ba3c211a13ba7
The executed powershell script encodings are decoded in the following images:
The Base64 executable (Google Chrome.dll) is found here: https://www.virustotal.com/gui/file/4071e1852e9b0dea859d73b1736df451466a197c31e6f81dc590cc37b270b92f/detection
The Charcode executable (1118.exe) Lime Keylogger is found here: https://www.virustotal.com/gui/file/c6fc9e3efaa2ee2f9c8cfca1154904819176a5e16e5341f88ec424bb727ca63b/detection
The 1118.exe executable C2 is top[.]killwhenabusing1[.]xyz
Honestly, not too much at this point surprised me, however, the tactic of using aspnet_compiler.exe to run the malware from the powershell file was new to me. To me, some simple rules to write would include looking for suspicious parent processes launching aspnet_comipler.exe or seeing aspnet_compiler.exe attempting network connections.
I'll put together some YARA rules and OpenIOC rules later.
Comments
Post a Comment