Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call

 1title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
 2id: 9c0295ce-d60d-40bd-bd74-84673b7592b1
 3related:
 4    - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59
 5      type: similar
 6status: test
 7description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"
 8references:
 9    - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar
10    - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
11    - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0
12author: pH-T (Nextron Systems)
13date: 2022/03/01
14modified: 2023/04/06
15tags:
16    - attack.execution
17    - attack.defense_evasion
18    - attack.t1059.001
19    - attack.t1027
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        CommandLine|contains:
26            # ::("L"+"oad")
27            - 'OgA6ACgAIgBMACIAKwAiAG8AYQBkACIAKQ'
28            - 'oAOgAoACIATAAiACsAIgBvAGEAZAAiACkA'
29            - '6ADoAKAAiAEwAIgArACIAbwBhAGQAIgApA'
30            # ::("Lo"+"ad")
31            - 'OgA6ACgAIgBMAG8AIgArACIAYQBkACIAKQ'
32            - 'oAOgAoACIATABvACIAKwAiAGEAZAAiACkA'
33            - '6ADoAKAAiAEwAbwAiACsAIgBhAGQAIgApA'
34            # ::("Loa"+"d")
35            - 'OgA6ACgAIgBMAG8AYQAiACsAIgBkACIAKQ'
36            - 'oAOgAoACIATABvAGEAIgArACIAZAAiACkA'
37            - '6ADoAKAAiAEwAbwBhACIAKwAiAGQAIgApA'
38            # ::('L'+'oad')
39            - 'OgA6ACgAJwBMACcAKwAnAG8AYQBkACcAKQ'
40            - 'oAOgAoACcATAAnACsAJwBvAGEAZAAnACkA'
41            - '6ADoAKAAnAEwAJwArACcAbwBhAGQAJwApA'
42            # ::('Lo'+'ad')
43            - 'OgA6ACgAJwBMAG8AJwArACcAYQBkACcAKQ'
44            - 'oAOgAoACcATABvACcAKwAnAGEAZAAnACkA'
45            - '6ADoAKAAnAEwAbwAnACsAJwBhAGQAJwApA'
46            # ::('Loa'+'d')
47            - 'OgA6ACgAJwBMAG8AYQAnACsAJwBkACcAKQ'
48            - 'oAOgAoACcATABvAGEAJwArACcAZAAnACkA'
49            - '6ADoAKAAnAEwAbwBhACcAKwAnAGQAJwApA'
50    condition: selection
51fields:
52    - CommandLine
53falsepositives:
54    - Unlikely
55level: high

References

• Raccine/yara/mal_revil.yar at 20a569fa21625086433dcce8bb2765d0ea08dcb6 · Neo23x0/Raccine

  

  A Simple Ransomware Vaccine. Contribute to Neo23x0/Raccine development by creating an account on GitHub.

  
  Read More

• SEO Poisoning - A Gootloader Story

  

  In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector.The intrusion lasted two days and comprised discovery, persistence, lateral movement, collection, defense evasion, credential access and command and control activity.

  
  Read More

• AppDomain.Load Method (System)

  

  Loads an Assembly into this application domain.

  
  Read More

Related rules

• PowerShell Base64 Encoded Reflective Assembly Load
• Invoke-Obfuscation Obfuscated IEX Invocation
• Potential PowerShell Obfuscation Via WCHAR
• Detection of PowerShell Execution via Sqlps.exe
• SQL Client Tools PowerShell Session Detection