General
-
Target
pack.7z
-
Size
21.5MB
-
Sample
220810-m31n6abbf8
-
MD5
7db1fe010858843c6c24bfe2ba0b8954
-
SHA1
6924d33e7a785c37ce9b86a3c235a4c285502372
-
SHA256
7bb432c0ac0cf65de6c795685a41b1478f9d979e2b05bd9c8fb11725f9942e01
-
SHA512
71f0d23b5298ce30c14d407cbf01636c07048c0ccd28cf0c55aa1bdf2b29e7e0598d063cd0ade4ce07209cccd5b45232b26b201db70afca6dc20bfff6cb7ac33
Malware Config
Extracted
asyncrat
0.5.7B
Default
192.168.1.4:6606
192.168.1.4:7707
192.168.1.4:8808
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
141.98.6.228:8808
xeirz.ddns.net:1604
192.168.1.2:6606
192.168.1.2:7707
192.168.1.2:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
redline
cheat
109.206.241.81:55527
ponchikvps.ddns.net:1337
Extracted
asyncrat
1.0.7
Default
192.168.1.4:8848
aka1.ddns.net:8848
aka1.ddns.net:8828
aka1.ddns.net:1616
aka2.ddns.net:8848
aka2.ddns.net:8828
aka2.ddns.net:1616
aka3.ddns.net:8848
aka3.ddns.net:8828
aka3.ddns.net:1616
192.168.1.7:8848
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
blustealer
https://api.telegram.org/bot5449766717:AAHzRorvKI5URgvleGHlq6ZvqElY68-XL18/sendMessage?chat_id=1293496579
Extracted
netwire
37.0.14.206:3384
ponchikvps.ddns.net:3677
ponchikvps.ddns.net:3360
-
activex_autorun
false
-
copy_executable
true
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Install\Host.exe
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
true
-
offline_keylogger
true
-
password
Password234
-
registry_autorun
false
-
use_mutex
false
Extracted
agenttesla
https://api.telegram.org/bot5520247480:AAEoBq-eVV-KfON2FKSf_2riekCozVDdnus/sendDocument
https://api.telegram.org/bot5160627201:AAFqhXgzctTZMSuR7dIpLe50dmHi1xpPyYQ/sendDocument
Extracted
formbook
4.1
f48y
7772214.com
pinsmakers.info
organicspoonful.com
kxza1.xyz
panacuraconversion.com
hkgst.net
roguemd.online
klm6.net
mercantilegrub.com
sighthoundsavoy.co.uk
wintergedichte.info
kave22.com
benidias.uk
beautysuggestion.com
flightfright.com
ying1388.com
nattyssweettooth.com
motorads.uk
918eacequiamadre.com
x5ln3.xyz
Extracted
bitrat
1.38
192.168.1.4:12
eichelberger.duckdns.org:7744
-
communication_password
81dc9bdb52d04dc20036dbd8313ed055
-
install_dir
Install path
-
install_file
Install name
-
tor_process
tor
Extracted
njrat
0.7d
MyBot
dgever.ddns.net:1604
ponchikvps.ddns.net:6522
cac8839188c03ea55e36819553cd7507
-
reg_key
cac8839188c03ea55e36819553cd7507
-
splitter
Y262SUCZ4UJJ
Extracted
remcos
msmpeng
191.101.30.16:4444
securewebareaxxx.ddns.net:4444
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-08LKIV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
svchost
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
formbook
4.1
de29
sacredsong.net
talleresdemecanica.com
ezcdn285.net
sellingyourcloset.com
aplicativoparaempresa.site
diouma.online
mypets.place
piksel3d.online
specauto.care
crctm.net
teenpornbb.co
travelhorrycounty.com
sean-dodd.com
atlasvle.site
relocationtx.com
experiencias.pro
wnndh.com
i-memorial.com
d2w2e361f357a2vfay2og.xyz
nginx.host
Extracted
orcus
xeirz.ddns.net:1604
aeab5a7c6ed742ff8f5b15b26bac10a6
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Extracted
raccoon
48b666ccdcdf3511c5b4921dc5f7b868
http://5.253.84.117/
Extracted
quasar
1.4.0
Office04
109.206.241.81:4782
d695f8ee-15de-4e23-9b75-4d53bcab9c01
-
encryption_key
1604B933367CFC643050158C7CDFCA5B18F1F19E
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
remcos
DOCTOR
185.222.58.111:5355
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
PerfLog.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GC26TV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
PerfLog
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
RemoteHost
37.0.14.206:3352
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-SSCE3Q
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
xloader
2.6
uu0p
easeupp.com
ffffcc.xyz
commercialsymposium.com
bahamascargologistics.com
avajwelr.xyz
flipwatch.xyz
serprobumar.com
zlasher.store
zxlsn6.com
xiaojiaowanwan.com
hrkpacking.com
visitprnow.com
stkjzz.com
printfusion.net
blackoakssavannah.com
yuiseika.com
watnefarms.com
oneclickmsp.com
niu-tou.com
wholytraffic.com
Extracted
nanocore
1.2.2.0
timmy06.ddns.net:28286
127.0.0.1:28286
7089eeb0-6b9e-441d-ba36-b1625eb8df78
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-05-09T11:31:15.610207936Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
false
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
28286
-
default_group
JULY 2022
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7089eeb0-6b9e-441d-ba36-b1625eb8df78
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
timmy06.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
redline
TeleSpammer1
65.108.209.36:36162
-
auth_value
944996cfdb320d3f737fb63253ad2af3
Extracted
remcos
Andrew
185.222.58.111:5355
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
PerfLog.exe
-
copy_folder
Remcos
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
true
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-2BHLXE
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
PerfLog
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
formbook
4.1
jn86
yzeym.top
bettymassage.co.uk
zvzac.com
eventscomparison.xyz
ybzgh.com
3618shop.com
sosoicey.com
sundancerenewable.com
whorephotos.com
zamawiamy.online
idmtoucan.site
home-visites.com
maxtesler.website
terilio.net
aaemp.com
linksy.site
hairurge.com
lizzo.ltd
ukmcqc.co.uk
coolerzap.net
Extracted
quasar
1.4.0
dolevz
xeirz.ddns.net:1604
601aeefd-4173-4fb6-a6a3-5c54ed74afab
-
encryption_key
B96CFB0B9E6C92FCB3C6AB35C7338CDEC4993B7C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Targets
-
-
Target
7.0.0.0.exe
-
Size
6.4MB
-
MD5
514ca6348b6d29069d6b436fc1f1c159
-
SHA1
ebd3d2d7924b78a165eb2d689eae5ff90c709e01
-
SHA256
35b846afc6bf51292d8a401a68a24a0e36d131d7798ceaa8713f08b6942fe0b5
-
SHA512
e51f635718f021f5f238b2510c8e7b99b57318cbcbae09773ea123c275f48156f6ca76be6aaea7901a6d7351d54aa8486dbcd01160a18082c59fb09211ab533e
Score7/10-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
-
-
Target
ILMerge.exe
-
Size
668KB
-
MD5
2bb6322885e6ca0986206de174e842c9
-
SHA1
c5ea70169106d32bc513d28ea76ae8ea1e49380b
-
SHA256
8110d740b485bcb06ff406b17001714c3a146fe6517098c9dc90d812b83389fd
-
SHA512
9750180c54a5bd8f0e1fa8a8f529364430f2ef444efbf8ac51e8d2a0aaa4e3d21fe553865ba8567c7c19e4ae84d04b20464f391743e88c52c00cac0bf20fc2a7
Score1/10 -
-
-
Target
pack/AbPmX.exe
-
Size
45KB
-
MD5
a23c5f26bb7a11952d408d99242e5c06
-
SHA1
0712a50bbb25a1803df9e9f7fd195ed86f54d1a7
-
SHA256
d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0
-
SHA512
4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
-
-
Target
pack/AcAoB.exe
-
Size
95KB
-
MD5
0ec54c61531a22e6ccc517293d137d67
-
SHA1
4bc1bb4273cbefc10efbae5e55a03f4aaba624ab
-
SHA256
98049233378275be99a475de751e30042eee539f0644fbc0cd84b041aaab2396
-
SHA512
0bf6b2ee458083ed74f4954e308dd5742fd31b269dd757af507be9ab821b2833de46bbc532854719c9cf7acfbf0fac995a86d580f13d7f82cee9b5d0a6790ec8
Score10/10-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
-
-
Target
pack/AdEXN.exe
-
Size
45KB
-
MD5
a23c5f26bb7a11952d408d99242e5c06
-
SHA1
0712a50bbb25a1803df9e9f7fd195ed86f54d1a7
-
SHA256
d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0
-
SHA512
4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
-
-
Target
pack/AeCKK.exe
-
Size
15KB
-
MD5
a29ccdfe75b6d00c5af0d219040ec8fa
-
SHA1
056a8309ed4c51c11d841c136e8e9d4d40b0c347
-
SHA256
27a5e7226e99dfd6f1940565c19e61efcf4047085693b2c8c46e5ce843c1e943
-
SHA512
229bdf1ab0a6761cc72edf5f78d6da02f5219cc5863b15ec1883fc531ba04df6a661b650cd10c5fcc9d6e5d473775b19f00442edcaaf664a18140dc5bc2e830c
Score1/10 -
-
-
Target
pack/AeSRJ.exe
-
Size
5.3MB
-
MD5
95c9c83e4d5f20a4bd8a5354cec20d27
-
SHA1
4f75dc7c374a15026bc3e557d5849d8f27414971
-
SHA256
ae8b777d1cb934b3f9badd12d3599c739aa7b8972f99b48a5ba668866e34fff4
-
SHA512
72c65d5a5162355d251c4452b050355c686b751719ee9ccbd6e19f3e414dbf1aea598e1704aad7183f2c1654622927fd84badd36b42e845ffc5496cf0eb808fd
Score7/10-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
pack/AfDTM.exe
-
Size
47KB
-
MD5
81a1f53a7e0431c385b3537c9e86e9ca
-
SHA1
fee349b7f96843c91ed47a19f9aa2f58520ddb1c
-
SHA256
c47cc8f39a3d676895f1bbb92f94d50d5e5d20f7be816b76c09b08cef4d380a7
-
SHA512
626f5d74a98e3b8cc8f3be3ea7d5611918731a35331dad3603d18426cefd694e6d66b46fb277c46300792c3da930022fc6db28afb68a6e9e4d974a90c9e091c4
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
-
-
Target
pack/AfMaR.exe
-
Size
45KB
-
MD5
a23c5f26bb7a11952d408d99242e5c06
-
SHA1
0712a50bbb25a1803df9e9f7fd195ed86f54d1a7
-
SHA256
d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0
-
SHA512
4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
-
-
Target
pack/AfZcW.exe
-
Size
45KB
-
MD5
a23c5f26bb7a11952d408d99242e5c06
-
SHA1
0712a50bbb25a1803df9e9f7fd195ed86f54d1a7
-
SHA256
d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0
-
SHA512
4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
-
-
Target
pack/AnWLP.exe
-
Size
15KB
-
MD5
a29ccdfe75b6d00c5af0d219040ec8fa
-
SHA1
056a8309ed4c51c11d841c136e8e9d4d40b0c347
-
SHA256
27a5e7226e99dfd6f1940565c19e61efcf4047085693b2c8c46e5ce843c1e943
-
SHA512
229bdf1ab0a6761cc72edf5f78d6da02f5219cc5863b15ec1883fc531ba04df6a661b650cd10c5fcc9d6e5d473775b19f00442edcaaf664a18140dc5bc2e830c
Score1/10 -
-
-
Target
pack/AnZNZ.exe
-
Size
45KB
-
MD5
a23c5f26bb7a11952d408d99242e5c06
-
SHA1
0712a50bbb25a1803df9e9f7fd195ed86f54d1a7
-
SHA256
d140f6813ba550ee767cdcac73ea9f38868e6e3653289b7f0f49d04db65860c0
-
SHA512
4955d486cb75050c702877ac6d4ea26b0328cb8978e2854b1fd06fd62c9f98a89918e78ed66caedf3459b6fb542fba170e98e0d4e0940a6a65384b75d0830b47
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
-
Async RAT payload
-
-
-
Target
pack/ApRnS.exe
-
Size
136KB
-
MD5
6862264bbd7688ac4bd96f16786cd153
-
SHA1
8fd23a996f8b78914f9969cb3c31be7ffd02e346
-
SHA256
701ef63a3a8c4f2eb90d64cd897e0098460e1272a54404b90ab794a685b98ffc
-
SHA512
23df9d7fe2e8028d2b7f985344ac5ff0d01f9a45f0925f6b37b0df64aab3702612e5bfb56cb29bc2325bd26ffe152fc69f4af5e36d0e94a97a6f04d27460c2e2
Score10/10-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload
-
Accesses Microsoft Outlook profiles
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
-
-
Target
pack/AqDpY.exe
-
Size
15KB
-
MD5
a29ccdfe75b6d00c5af0d219040ec8fa
-
SHA1
056a8309ed4c51c11d841c136e8e9d4d40b0c347
-
SHA256
27a5e7226e99dfd6f1940565c19e61efcf4047085693b2c8c46e5ce843c1e943
-
SHA512
229bdf1ab0a6761cc72edf5f78d6da02f5219cc5863b15ec1883fc531ba04df6a661b650cd10c5fcc9d6e5d473775b19f00442edcaaf664a18140dc5bc2e830c
Score1/10 -
-
-
Target
pack/AsNMX.exe
-
Size
6KB
-
MD5
2077e8080a5f540e281242a1b475f865
-
SHA1
b6e2e18a6a3574bab7f17185dc0b00da1a34a95c
-
SHA256
04153178e5f9f669cd1c89d653d45a0431d46ff5e9dc6128522bc02aacdb9895
-
SHA512
4e2bc30f93fbc06302fa29efcc0e5d164bf533dcf04235d2465863536d8fdd249d583555453836dd3e76df6d6f79a511185b9ef936312d6f25d8d89eb7b58f91
Score1/10 -
-
-
Target
pack/AwHQZ.exe
-
Size
160KB
-
MD5
3564b2127c519a9e39b63f0e6994a3d1
-
SHA1
158c22dea6eb92f518af7ea947e08521a904e3ad
-
SHA256
09103f6536c9315c4d1cfa28a4105a2e9bd06f5c432bb62dc5a2b1d0b5902fdd
-
SHA512
37bdd044469917c500a4d4cfc8b8280207198be956bb208efdac7a74dc3a49b97df237885ece8bf8d3e0c9642156c24285e9ed8fa27adad32adbde6613fc5029
Score10/10-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-