Overview

overview

10

Static

static

Balance_Payment.exe

windows7_x64

10

Balance_Payment.exe

windows10-2004_x64

10

Bank Details.exe

windows7_x64

10

Bank Details.exe

windows10-2004_x64

10

invoice fo...nt.jar

windows7_x64

10

invoice fo...nt.jar

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e

  • Size

    1.1MB

  • Sample

    220712-psnb7adba3

  • MD5

    791fb412e1bdc58d44df34e217aa50ae

  • SHA1

    0b6547e12d3866d386c5b9396d798d783d4cbb3e

  • SHA256

    4aa54853c4e39405c5280a334c52714ffced26be98dcdd645ec16fb0a2699c4e

  • SHA512

    50285762e490de0c466fa51c6fe734f1cd2ff1121aaa6633b50b159931e6bc20aaf2b012a75da47117386225b3005b92027fcd9b6a53d90a204d6800bab3c365

Score
10/10
adwindisrstealerremcossalitysalesbackdoorcollectionevasionpersistenceratspywarestealersuricatatrojanupx

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

sales

C2

178.175.138.219:200

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    microsoft

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_yyaopwkkmmuwfrk

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      Balance_Payment.exe

    • Size

      426KB

    • MD5

      0c126915720c2dfabaa824598a7aa0c6

    • SHA1

      777c3fdb4c8f7572687cb107040103e796996849

    • SHA256

      4b4df849759c4377308e8126e7baee0bf0384fed2dfe03e9273f7cc9069c5b68

    • SHA512

      254bfdcb8465f01d3b321a2c5ef347f41f9c4f2e822fb9d64fc1263aa39c65d7cdbdb62c897ad4057cc6ce103959020eeb8a638c536528a9cf2b94f0935fe18e

    Score
    10/10
    isrstealercollectionspywarestealertrojanupxsuricata

    • ISR Stealer

      ISR Stealer is a modified version of Hackhound Stealer written in visual basic.

      trojanstealerisrstealer

    • ISR Stealer payload

    • suricata: ET MALWARE ISRStealer Checkin

      suricata: ET MALWARE ISRStealer Checkin

      suricata

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • Nirsoft

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Bank Details.exe

    • Size

      267KB

    • MD5

      af36518f0a97d140dfcd5afbb9740d8a

    • SHA1

      3b8c31dcf501d7e93bf6b3e5ffaf1638942cd47c

    • SHA256

      93276a3646988961ec65fc1b860f227454c60f143c9d1736f5ab3fdc30a7443c

    • SHA512

      95cff48acc0e72127f096b0d66d97299433a9a13e4f322195754bd59cef689badf1ec7f447dc3dd25b36cfde665a05c7251c8fa149e0bb5fe3aec97812df9fa8

    Score
    10/10
    remcossalitysalesbackdoorevasionpersistencerattrojanupx

    • Modifies firewall policy service

      evasion

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

      backdoorsality

    • UAC bypass

      evasiontrojan

    • Windows security bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    behavioral3behavioral4

    • Target

      invoice for the payment.jar

    • Size

      534KB

    • MD5

      93d2d92db87d216a310f3e57989f5b71

    • SHA1

      c9e87592ad9e35a4042d8f766c537a866a359fd9

    • SHA256

      37d20da1d9f4859c04c4f4fa921ef98cec87c7c50e1666c3fe9be5104716b268

    • SHA512

      7efd15ef40f5cb46cf905ab96a7d19b114e111b2cf77a0729de5693019242e0c013cc4c846051d14286915dcf52edb22e2fa388dc1119ab1284f1dd3df110880

    Score
    10/10
    adwindevasionpersistencetrojan

    • AdWind

      A Java-based RAT family operated as malware-as-a-service.

      trojanadwind

    • UAC bypass

      evasiontrojan

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Executes dropped EXE

    • Sets file execution options in registry

      persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

3
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Bypass User Account Control

2
T1088

Defense Evasion

Modify Registry

10
T1112

Bypass User Account Control

2
T1088

Disabling Security Tools

4
T1089

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Tasks