General

  • Target

    d9c650fdcc961cfb86baaff737d8c7bd.exe

  • Size

    1000KB

  • Sample

    220626-jkx9jaabhm

  • MD5

    d9c650fdcc961cfb86baaff737d8c7bd

  • SHA1

    0a5d1730dbd7c2d925c88bf1bd3c726ba6f62e2d

  • SHA256

    79103532395036c14b755d90f9cacfdec6b588f1b031a7cba936c1b9d2ef3b51

  • SHA512

    bc735fe469f91fc2ee5fd5aa1ad11141b115f1c04c466f8cfcd8b192c137a3d24927f1d2dcd3edd5f237f17e1cdfa417e3d8c02a2865fbbe5185743f17ccdd6f

Malware Config

Extracted

Family

recordbreaker

C2

http://193.106.191.146/

http://185.215.113.89/

Extracted

Family

arkei

Botnet

Default

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

remcos

Botnet

06192022

C2

nikahuve.ac.ug:6968

kalskala.ac.ug:6968

tuekisaa.ac.ug:6968

parthaha.ac.ug:6968

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    scxs.dat

  • keylog_flag

    false

  • keylog_folder

    forbas

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    cvxyttydfsgbghfgfhtd-RXTSAM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      d9c650fdcc961cfb86baaff737d8c7bd.exe

    • Size

      1000KB

    • MD5

      d9c650fdcc961cfb86baaff737d8c7bd

    • SHA1

      0a5d1730dbd7c2d925c88bf1bd3c726ba6f62e2d

    • SHA256

      79103532395036c14b755d90f9cacfdec6b588f1b031a7cba936c1b9d2ef3b51

    • SHA512

      bc735fe469f91fc2ee5fd5aa1ad11141b115f1c04c466f8cfcd8b192c137a3d24927f1d2dcd3edd5f237f17e1cdfa417e3d8c02a2865fbbe5185743f17ccdd6f

    • Arkei

      Arkei is an infostealer written in C++.

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • RecordBreaker

      RecordBreaker is an information stealer capable of downloading and executing secondary payloads written in C++.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

      suricata: ET MALWARE Base64 Encoded Stealer Config from Server - APPDATA or USERPROFILE Environment Variable M4

    • suricata: ET MALWARE Generic Stealer Config Download Request

      suricata: ET MALWARE Generic Stealer Config Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

      suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M5

    • suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

      suricata: ET MALWARE Win32/RecordBreaker CnC Checkin

    • suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

      suricata: ET MALWARE Win32/Vidar Variant/Mars Stealer CnC Exfil

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks