0481f43c7f5b88e571514182c7ed5f64

General
Target

0481f43c7f5b88e571514182c7ed5f64

Size

457KB

Sample

210726-7rhezxfyzj

Score
10 /10
MD5

0481f43c7f5b88e571514182c7ed5f64

SHA1

6b597b3ddb06f3d68323c43a3d000452a115501d

SHA256

885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5

SHA512

a7d260045043187546a437a5d708eabffcd339648a45cc23b175fc3cba996551f696dd3b114b1630be6e23324b63906788ffe5cf93e3849b382c30d391b6d9ba

Malware Config

Extracted

Family warzonerat
C2

byx.z86.ru:5200

Extracted

Family remcos
Version 1.7 Pro
Botnet Host
C2

dpqw-avira.bot.nu:2404

Attributes
audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
explorer.exe
copy_folder
windows
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_abihghbcgbxx#
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
pdf
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
Targets
Target

0481f43c7f5b88e571514182c7ed5f64

MD5

0481f43c7f5b88e571514182c7ed5f64

Filesize

457KB

Score
10 /10
SHA1

6b597b3ddb06f3d68323c43a3d000452a115501d

SHA256

885e34ff7befbdcdb027a017843cbacdba7eebb34d3df2e3113cceb9adafe8b5

SHA512

a7d260045043187546a437a5d708eabffcd339648a45cc23b175fc3cba996551f696dd3b114b1630be6e23324b63906788ffe5cf93e3849b382c30d391b6d9ba

Tags

Signatures

  • Remcos

    Description

    Remcos is a closed-source remote control and surveillance software.

    Tags

  • WarzoneRat, AveMaria

    Description

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation