This report discusses a malware sample identified as a Trojan dropper, highlighting its multi-stage execution and behavior, including privilege escalation, task creation, and connections to a command and control (C2) server. The analysis showcases effective malware techniques and emphasizes the need for continued vigilance against evolving digital threats. Affected: Windows OS, Cybersecurity sector
Keypoints :
- The sample analyzed is categorized as a Trojan dropper.
- It uses a variety of DLL files to execute malicious actions.
- The malware attempts to escalate privileges using the “runas” command.
- It creates scheduled tasks to maintain persistence every five minutes.
- Connections to the C2 server reveal ongoing malicious activities.
- Noted techniques include using XML configuration for task creation.
- The presence of anti-Windows Defender functionalities indicates the malware’s designed evasion tactics.
MITRE Techniques :
- T1203 – Exploitation for Client Execution: The Trojan uses various methods to exploit client systems.
- T1068 – Exploitation of Elevation Control Mechanism: Attempts to escalate privileges using the “runas” command.
- T1053 – Scheduled Task/Job: Uses schtasks to schedule tasks that maintain persistence.
- T1071 – Application Layer Protocol: Connects to the C2 server to execute commands and receive updates.
- T1106 – Execution through API: Uses rundll32 to execute DLL files in commands.
Indicator of Compromise :
- [File MD5] A699AFD908E0DEC5C96FF7188450B89F
- [File SHA256] f18631344d6f7fc57fd248edce37baeb11976e315b72b68d48311c406ace3f8c
- [File MD5] 621d17a2e9562fb63248edec813fd481
- [File SHA256] 1853cc36050f36dc525ab479c77846e976525269066a6cf4bacc4e25eb55d465
- [IP Address] 188.166.28.204
Full Story: https://malwareanalysisspace.blogspot.com/2025/03/unmasking-threat-understanding.html