arrow_back
search
close

HackTool.MSIL.SharpHound.A

May 30, 2023
 Analysis by: Ricardo III Valdez
 ALIASES:

UDS:HackTool.MSIL.Sharphound.gen (KASPERSKY)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet, Dropped by other malware


This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size:

1,052,160 bytes

File Type:

EXE

Memory Resident:

No

Initial Samples Received Date:

26 May 2023

Payload:

Steals information

Arrival Details

This Hacking Tool arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Information Theft

This Hacking Tool gathers the following data:

  • User login data
  • Group membership
  • Local admin rights
  • Password policies
  • Trust relationships

Other Details

This Hacking Tool does the following:

  • It is a data collection tool designed to gather information from a Windows domain environment and collects data about users, groups, permissions and other related information.

It accepts the following parameters:

  • -c, --collectionmethods
    Specifies the type of data collection method to be used with the following options:
    • Container
    • Group
    • LocalGroup
    • GPOLocalGroup
    • Session
    • LoggedOn
    • ObjectProps
    • ACL
    • ComputerOnly
    • Trust
    • Default
    • RDP
    • DCOM
    • DCOnly
  • -d, --domain ← Specifies the target domain to collect data from.
  • -s, --searchforest (Default: false) ← Searches all available domains in the forest.
  • --stealth (Preferred: DCOnly) ← Enables stealth mode to reduce data collection visibility
  • -f ← Adds an LDAP filter to the pre-generated filter.
  • --distinguishedname ← Specifies the base DistinguishedName to start the LDAP search at.
  • --computerfile ← Specifies the path to file containing computer names to enumerate.
  • --outputdirectory ← Sets the directory to output file.
  • --outputprefix ← Specifies the string to prepend to output file names.
  • --cachename ← Sets the filename for cache (Defaults to a machine specific identifier).
  • --memcache ← Keeps cache in memory and don't write to disk.
  • --rebuildcache (Default: false) ← Rebuilds cache and remove all entries.
  • --randomfilenames (Default: false) ← Use random filenames for output file.
  • --zipfilename ← Sets the filename for the output ZIP file.
  • --nozip (Default: false) ← Don't zip files.
  • --trackcomputercalls (Default: false) ← Adds a CSV tracking requests to computers.
  • --zippassword ← Sets a password for the ZIP file.
  • --prettyprint (Default: false) ← Pretty print JSON.
  • --ldapusername ← Sets the username for LDAP.
  • --ldappassword ← Sets the password for LDAP.
  • --domaincontroller ← Overrides domain controller to pull LDAP from, this option can result in data loss.
  • --ldapport (Default: 0) ← Sets the override port for LDAP.
  • --secureldap (Default: false) ← Connects to LDAP SSL instead of regular LDAP.
  • --disablecertverification (Default: false) ← Disables certificate verification for secure LDAP.
  • --disablesigning (Default: false) ← Disables Kerberos Signing/Sealing.
  • --skipportcheck (Default: false) ← Skips checking if port 445 is open.
  • --portchecktimeout (Default: 500) ← Sets the timeout for port checks in milliseconds.
  • --skippasswordcheck (Default: false) ← Skips PwdLastSet age check when checking computers.
  • --excludedcs (Default: false) ← Excludes domain controllers from session/localgroup enumeration (mostly for ATA/ATP)
  • --throttle ← Adds a delay after computer requests in milliseconds.
  • --jitter ← Adds jitter to throttle (Value in percent)
  • --threads (Default: 50) ← Specifies the number of threads to be used for data collection.
  • --skipregistryloggedon ← Skips registry session enumeration.
  • --overrideusername ← Overrides the username to filter for NetSessionEnum.
  • --realdnsname ← Overrides DNS suffix for API calls.
  • --collectallproperties ← Collects all LDAP properties from objects.
  • -l, --Loop ← Enable loops in computer data collection.
  • --loopduration ← Sets the loop duration (hh:mm:ss - 05:00:00 is 5 hours, default: 2 hrs)
  • --loopinterval ← Adds delay between loops (hh:mm:ss - 00:03:00 is 3 minute)
  • --statusinterval (Default: 30000) ← Sets the interval to display status in milliseconds.
  • -v (Default: 2) ← Enables verbose output, lower is more verbose.
  • --help ← Displays the help screen.
  • --version ←Displays the current software's version information.

  SOLUTION

Minimum Scan Engine:

9.800

SSAPI PATTERN File:

2.627.00

SSAPI PATTERN Date:

01 Jun 2023

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

    • Ransom.Win32.TRX.XXPE50FFF068

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Identify and terminate files detected as HackTool.MSIL.SharpHound.A

[ Learn More ]
  1. Windows Task Manager may not display all running processes. In this case, please use a third-party process viewer, preferably Process Explorer, to terminate the malware/grayware/spyware file. You may download the said tool here.
  2. If the detected file is displayed in either Windows Task Manager or Process Explorer but you cannot delete it, restart your computer in safe mode. To do this, refer to this link for the complete steps.
  3. If the detected file is not displayed in either Windows Task Manager or Process Explorer, continue doing the next steps.

Step 5

Scan your computer with your Trend Micro product to delete files detected as HackTool.MSIL.SharpHound.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:


Did this description help? Tell us how we did.