#FIN7
As reported by @KorbenD_Intel, the initial powershell script use DeflateStream method for uncompress the zip in memory and extract it. This execute the second layer that heavily obfuscated. More 70 functions are used for reorder the data for sensible strings and the implant
#FIN7As reported by @KorbenD_Intel, the initial powershell script use DeflateStream method for uncompress the zip in memory and extract it. This execute the second layer that heavily obfuscated. More 70 functions are used for reorder the data for sensible strings and the implant
#FIN7As reported by @KorbenD_Intel, the initial powershell script use DeflateStream method for uncompress the zip in memory and extract it. This execute the second layer that heavily obfuscated. More 70 functions are used for reorder the data for sensible strings and the implant
Once removed, this extract from another deflated stream with content the x64 PE still in memory by a memorystream. This finally loaded by reflective method.
Once removed, this extract from another deflated stream with content the x64 PE still in memory by a memorystream. This finally loaded by reflective method.
Once removed, this extract from another deflated stream with content the x64 PE still in memory by a memorystream. This finally loaded by reflective method.
Once removed, this extract from another deflated stream with content the x64 PE still in memory by a memorystream. This finally loaded by reflective method.
The x64 implant extract the configuration from the section ".text" of the PE for get the C2. This initiate the sockets after getting the system infos (computername, username, network cards infos ...).
The x64 implant extract the configuration from the section ".text" of the PE for get the C2. This initiate the sockets after getting the system infos (computername, username, network cards infos ...).
The x64 implant extract the configuration from the section ".text" of the PE for get the C2. This initiate the sockets after getting the system infos (computername, username, network cards infos ...).
The x64 implant extract the configuration from the section ".text" of the PE for get the C2. This initiate the sockets after getting the system infos (computername, username, network cards infos ...).
The x64 implant extract the configuration from the section ".text" of the PE for get the C2. This initiate the sockets after getting the system infos (computername, username, network cards infos ...).
This perform events for get ready if the C2 reply to download and execute the orders.
This perform events for get ready if the C2 reply to download and execute the orders.
This perform events for get ready if the C2 reply to download and execute the orders.
This perform events for get ready if the C2 reply to download and execute the orders.
This perform events for get ready if the C2 reply to download and execute the orders.
Thanks to @KorbenD_Intel @JAMESWT_MHT for their help.
Code, pictures, samples:
https://github.com/StrangerealIntel/Cerberus/tree/master/FIN7/2020-09-29
Bazaar:
https://bazaar.abuse.ch/sample/003645e2686bf863585f95532e847dfe8f3b791c5b36f1a02ea2060f97b12125/
cc: @VK_Intel @malwrhunterteam @MeltX0R @ItsReallyNick @_re_fox @Rmy_Reserve @DeadlyLynn @James_inthe_box @shotgunner101 @0xtornado @ShadowChasing1 @malz_intel @cyb3rops @faisalusuf @JusticeRage @felixaime @ItsReallyNick @DrunkBinary @craiu @jeromesegura
You can follow @Arkbird_SOLG.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.