Backdoor.Win64.LEGIRAT.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any propagation routine.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Backdoor adds the following mutexes to ensure that only one of its copies runs at any one time:

• cab0a9b41f6e44c24b9fd412b5e538c0

Propagation

This Backdoor does not have any propagation routine.

Rootkit Capabilities

This Backdoor does not have rootkit capabilities.

Information Theft

This Backdoor gathers the following data:

• Hostname
• Username
• Locale

Other Details

This Backdoor connects to the following URL(s) to check for an Internet connection:

• https://www.bing.com

It does the following:

• It impersonates the logged on user.
• It uses the following URL to use Slack's API for its malicious purposes:
  • https://{BLOCKED}k.com/api/chat.postMessage
  • https://{BLOCKED}k.com/api/chat.update
  • https://{BLOCKED}k.com/api/chat.delete
  • https://{BLOCKED}k.com/api/files.upload?&channels=
  • https://{BLOCKED}k.com/api/conversations.list?exclude_archived=true
  • https://{BLOCKED}k.com/api/conversations.create
  • https://{BLOCKED}k.com/api/conversations.history?limit=200&channel=
• The Slack communication was established through the use of this hardcoded authentication token:
  • {BLOCKED}26427959425-5707141283990-5726497507873-511646c6920d425fc62e147145bc56db → Inacessible; token revoked
• It checks for the presence of the following files in order to proceed with its intended routine:
  • list.txt → encrypted payload
  • output.txt → encrypted payload

It does not exploit any vulnerability.