THREAT: Russian ManStealer Warrior
Introduction
I would like to tell you about an interesting malware vendor and malware processes that I have been working on for months. At first sight he saw it differently from any other stealer I have come across. However, as they progressed, I realized that my mind had changed. I want to share them with you.
In malware, I was expecting management via a panel (C2) as usual from the Russian stealer vendor. But I saw the vendor generate these from a client application.
Let's start looking at the vendor and malware right away...
The malware is first time on this forum "hxxps://skynetzone[.net/threads/manhvnc-hvnc-stealer-and-loader-native[.24580/" The seller then continued to offer it for sale in different forums at indefinite intervals. First Date October 6, 2020
When I first saw the malware, it was obvious that it was a normal RAT (Remote Administration Tools).
By entering the specified group mostly via telegram. We can see that this group is closed to regular users, its intended use only to post new updates and sales-related announcements.
And the main purpose for such vendors to form groups is to use them for credibility and pride in their customers. Everything up to this point is normal. However, when I did a little more research, looking at the forums it offered for sale, the rumors about the Manstealer Malware seller caught my eye.
So which hosting service ManStealer malware vendor offered?
Clients are asked to use "https://dedic.store/" for server which definitely looks like a Dedicated server provider. A place that provides an interesting hosting service, such as a reseller LMAOOO
However, I believe that even the person providing this service is himself. But I found that the malware the vendor is using belongs to a different hosting service than the command control server.
This company I found has a bad past than before. Dhia Mahjoub wrote on September 14, 2015, that there is analysis that abused hosting providers such as Vultr Holdings, LLC consistently address a variety of "malicious activity".
Here's a little quote from that article: "These 2LDs are all hosted on IPs that are part of AS20473, AS-CHOOPA - Choopa, LLC 86400, but more specifically they are all under the hoster Vultr, which is a child company of Choopa, LLC. "
(Note: The original article and Intelligence/IOC are mentioned at the end of the article.)
The rumors proceeded as follows: the author of this malware claimed that he was the author of the malware, but some users on the forum made statements that determined that this was not the case after purchasing and analyzing the malware for testing purposes. In other words, it was determined that he personalized the malware with a programming interface.
Some details
I analyzed 50% of my analysis in the hatching triage malware analysis sandbox area. Thank you to the triage family for this.
The mutex structure of the malware is as follows. "RAT_(18 characters a.z alphabetic random generator)_Mutex"
Another thing the malware does at startup, Malware modifies data under hkey_users:
Key Create - \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections - Process svchost.exe
Key Create - \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache - Process svchost.exe
AES Key I extracted from the malware's config file: "lXQuB3or3nLf1TeKzQ9Bb3R0mBS4npX1"
Command control servers and ports that the malware connects to:
C2 : "45.77.101.153"
Ports : "6606, 7707, 8808"
The parts of the malware described so far match the parts that the vendor has updated again. However, there is no anti-analysis method and no method that will disturb the analysis process.
Generally, malware actions behave like a RAT malware. Keylogger, Desktop screenshot, stealing user password cookies, running itself at startup, etc. activity.
ManStealer Malware Dec 22, 2020 last version released
MD5: 34eacbb5f987cf3711bbd2f8bbf21fea
SHA256: f658bc9b0dc3d342463f6eecae35d14d48825ac175358773c62905d6d58f5cd2
FileSize: 45KB
C2:
45.[77.[101.153:[6606
45.[77.[101.153:[8808
45.[77.[101.153:[7707
Memory dump file and pcap file:
"https://github.com/Joefreedy/StealerHunter/tree/main/ManStealer"
Dhia Mahjoub Research article mentioned in the article:
"https://umbrella.cisco.com/blog/phishing-spiking-and-bad-hosting"
