Breaking News

General Officer Announcement > U.S. Department of Defense > Release Statement by Women’s Bureau Director Wendy Chun-Hoon on the US Supreme Court decision to overturn Roe v. Wade Women’s Advancement’s Statement Regarding the Overturn of Roe vs. Wade Little Rock AFB selected to host ANG C-130J Formal Training Unit > Air Force > Article Display NASA Awards Facilities Engineering Design, Inspection Services Contract FDA Roundup: June 24, 2022 Pennsylvania Commissions Condemn Supreme Court Decision, Remain Committed to Protecting the Right to Choose Chairman Maffei Addresses AgTC Annual Meeting – Federal Maritime Commission

 

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.cisa.gov/tlp.

Summary

Description

This CISA submission included one unique file. This file is a malicious loader that contains an embedded executable. This embedded executable is a Remote Access Tool (RAT) that provides a vast array of Command and Control (C2) capabilities. These C2 capabilities include the ability to remotely monitor a system’s desktop, gain reverse shell access, exfiltrate data, and upload and execute additional payloads. The malware can also function as a proxy, allowing a remote operator to pivot to other systems.

For a downloadable copy of IOCs, see: MAR-10382254-1.v1.stix

Submitted Files (2)

6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349 (hmsvc.exe)

6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d (658_dump_64.exe)

IPs (1)

192.95.20.8

Findings

6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349

Tags

trojan

Details
Name hmsvc.exe
Size 720384 bytes
Type PE32+ executable (GUI) x86-64, for MS Windows
MD5 df81145680b4deab198d9bba091d86e9
SHA1 4235d9a934d26ec688c21e3fc2e470178b7b3c21
SHA256 6589a687e69a182e075f11805a755ac1fabbddae1636c6fea8e80e7414521349
SHA512 de5e8164f58120e624e0546518b5c0c5df864baa9b389162f1be75547e6f684ee94f9df5738cdcf5065dd7bfcd6481c6ea45f4c1ff154edb4e0ad48ea5260d42
ssdeep 12288:g5eggD3QpKCvO5yPPGtjLFanfI2YAMinlQZUub+RdYhawaGFbhwydP76N5:ceHD3eKU+tVafVgKlQZUlRdYVdP76N5
Entropy 7.623341
Antivirus
Adaware Gen:Variant.Ulise.345018
AhnLab Trojan/Win.Generic
Avira HEUR/AGEN.1248665
Bitdefender Gen:Variant.Ulise.345018
ESET a variant of Win64/Injector.HA.gen trojan
Emsisoft Gen:Variant.Ulise.345018 (B)
IKARUS Trojan.Win64.Injector
YARA Rules
  • rule CISA_10382580_03 : loader
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10382580”
           Date = “2022-05-02”
           Last_Modified = “20220602_1200”
           Actor = “n/a”
           Category = “Loader”
           Family = “n/a”
           Description = “Detects loader samples”
           MD5_1 = “3764a0f1762a294f662f3bf86bac776f”
           SHA256_1 = “f7f7b059b6a7dbd75b30b685b148025a0d4ceceab405e553ca28cacdeae43fab”
           MD5_2 = “21fa1a043460c14709ef425ce24da4fd”
           SHA256_2 = “66966ceae7e3a8aace6c27183067d861f9d7267aed30473a95168c3fe19f2c16”
           MD5_3 = “e9c2b8bd1583baf3493824bf7b3ec51e”
           SHA256_3 = “7ea294d30903c0ab690bc02b64b20af0cfe66a168d4622e55dee4d6233783751”
           MD5_4 = “de0d57bdc10fee1e1e16e225788bb8de”
           SHA256_4 = “33b89b8915aaa59a3c9db23343e8c249b2db260b9b10e88593b6ff2fb5f71d2b”
           MD5_5 = “9b071311ecd1a72bfd715e34dbd1bd77”
           SHA256_5 = “3c2c835042a05f8d974d9b35b994bcf8d5a0ce19128ebb362804c2d0f3eb42c0”
           MD5_6 = “05d38bc82d362dd57190e3cb397f807d”
           SHA256_6 = “4cd7efdb1a7ac8c4387c515a7b1925931beb212b95c4f9d8b716dbe18f54624f”
       strings:
           $s0 = { B8 01 00 00 00 48 6B C0 00 C6 44 04 20 A8 B8 01 }
           $s1 = { 00 00 48 6B C0 01 C6 44 04 20 9A B8 01 00 00 }
           $s2 = { 48 6B C0 02 C6 44 04 20 93 B8 01 00 00 00 48 }
           $s3 = { C0 03 C6 44 04 20 9B B8 01 00 00 00 48 6B C0 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2016-06-12 12:53:34-04:00
Import Hash 4f2b9ad89041fedc43298c09c8e7b948
Company Name Sysinternals – www.sysinternals.com
File Description Lists logon session information
Internal Name LogonSessions
Legal Copyright Copyright (C) 2004-2016 Mark Russinovich
Original Filename logonsessions.exe
Product Name Sysinternals LogonSessions
Product Version 1.4
PE Sections
MD5 Name Raw Size Entropy
e16f93c6b1a062a1dc2156fc770594a6 header 1024 2.888609
c4466c75f41681629fc2ead156f8de84 .text 89088 6.366960
4d9a0bcd9467b5aaee5d4d762219821b .rdata 65536 4.425938
f80417eeab656641c6a5206454b398d3 .data 6656 3.054858
e0d2510e666231c532ff97edf51abd10 .pdata 5120 4.855993
fff7f8f7be38486e0a6d01bc0472a6f2 .rsrc 550912 7.914631
bca539afcd691a4a238b78fc830dc55a .reloc 2048 4.939573
Relationships
6589a687e6… Connected_To 192.95.20.8
Description

This malware is a 64-bit Windows loader that contains an encrypted malicious executable. During runtime, this encrypted executable is decrypted and loaded into memory, never touching the system’s hard disk. The encrypted executable is similar in functionality to the file “f7_dump_64.exe” (88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8), described in report MAR-10382580.

6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d

Tags

remote-access-trojantrojan

Details
Name 658_dump_64.exe
Size 491520 bytes
Type PE32+ executable (console) x86-64, for MS Windows
MD5 f9e6ca0bdaa43df9ed0449b964e1b8b4
SHA1 24b983856dfdd4e48eeeafc9372b70d6b53ae722
SHA256 6e3840f11aa02f391edd7e3e65b214f1af128fa207b4feb7f69e438014a2206d
SHA512 5b8bfe6f043cd6e0ee6ac6665e95751c5369ec171050497122533302f2d7f5f5b7a4a23c70618f396bd52b4ec919ff2214cc2641a0e46607707d3d393fd105eb
ssdeep 6144:F4ph6Duxm/k+DesM/uZwZLmixJwxbgaEvUhN8/bSJ40+R833OutenWRaMt:F4b6DV/k+D3MWZFXgJvBX/b0
Entropy 6.058119
Antivirus
AhnLab Trojan/Win.PWS
ESET a variant of Win64/Spy.Agent.EA trojan
YARA Rules
  • rule CISA_10382580_01 : rat
    {
       meta:
           Author = “CISA Code & Media Analysis”
           Incident = “10382580”
           Date = “2022-05-25”
           Last_Modified = “20220602_1200”
           Actor = “n/a”
           Category = “Remote Access Tool”
           Family = “n/a”
           Description = “Detects Remote Access Tool samples”
           MD5_1 = “199a32712998c6d736a05b2dbd24a761”
           SHA256_1 = “88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8”
       strings:
           $s0 = { 0F B6 40 0F 6B C8 47 41 0F B6 40 0B 02 D1 6B C8 }
           $s1 = { 35 41 0F B6 00 41 88 58 01 41 88 78 02 41 88 70 }
           $s2 = { 66 83 F8 1E }
           $s3 = { 66 83 F8 52 }
       condition:
           all of them
    }
ssdeep Matches

No matches found.

PE Metadata
Compile Date 2022-02-21 19:02:06-05:00
Import Hash cc2269b4f6a11e02b40a384e27ad5e8c
PE Sections
MD5 Name Raw Size Entropy
60df3f67c31781bbec2444de6daf8a2b header 4096 0.893865
9ebe1be469e63ff47601b0c714285509 .text 327680 6.393378
1cb5bcc8bcade2b3ddee4dc6c617824a .rdata 110592 4.552154
e89305f8c6e571d82fb370f352192aa2 .data 20480 3.781076
ca8c03d7af637fa213b44d065c073c75 .pdata 20480 5.309842
bab9a0fee3d912c3b866d3ca88b47510 _RDATA 4096 0.256806
9a68c3f572ae2b201926c193eeed1cab .reloc 4096 4.894447
Packers/Compilers/Cryptors
Microsoft Visual C++ 8.0 (DLL)
Description

This file is a 64-bit Windows executable that was extracted from the malware named hmsvc.exe, also included within this submission. Static analysis of this application reveals it is a RAT that provides a vast array of C2 capabilities to a remote operator, including the ability to log keystrokes, upload and execute additional payloads, function as a proxy, and have graphical user interface (GUI) access over a target Windows system’s desktop. During runtime, the malware connects out to its hard coded C2 server 192[.]95[.]20[.]8 on port 443. After establishing this connection, the malware sits and waits for data to be sent back to it from the remote C2 server. Static analysis indicates the malware will receive a block of data that contains command data, and a 16-byte key. The 16-byte key will be extracted from this received data, and utilized to decrypt the command portion. The decrypted command portion of the C2 data will be checked to ensure that its first four bytes are equal to the value 0x0E03882Ah. If the values match, the malware will attempt to process the received decrypted data as a command. If the values do not match, the C2 session will be terminated and the malware will attempt to reinitiate a connection to the C2 server.

The executable is very similar in design and functionality to the file “f7_dump_64.exe” (88a5e4b24747648a4e3f0a2d5282b51683260f9208b06788fc858c44559da1e8), described in report MAR-10382580.

Screenshots

Figure 1 - This screenshot illustrates the cryptographic algorithm the malware utilizes to secure its inbound and outbound communications with its hard-coded C2. Communications between this malware and its C2, if collected, may be decrypted by following this algorithm.

Figure 1 – This screenshot illustrates the cryptographic algorithm the malware utilizes to secure its inbound and outbound communications with its hard-coded C2. Communications between this malware and its C2, if collected, may be decrypted by following this algorithm.

Figure 2 - This screenshot illustrates the code structure the malware utilizes to decrypt inbound data from the remote C2, and then compare its first four bytes to the value 0x0E03882Ah. The inbound data must contain this value as its first four bytes, after decryption, in order for the C2 session to continue. The 16-byte key will be included in the inbound payload from the remote C2.

Figure 2 – This screenshot illustrates the code structure the malware utilizes to decrypt inbound data from the remote C2, and then compare its first four bytes to the value 0x0E03882Ah. The inbound data must contain this value as its first four bytes, after decryption, in order for the C2 session to continue. The 16-byte key will be included in the inbound payload from the remote C2.