General

  • Target

    a9dd1949b6cebf4da3a7b185ade44cba.js

  • Size

    288KB

  • Sample

    220907-l4hz3aghfm

  • MD5

    560fae86873f8e47bcfb89e7d4e21e16

  • SHA1

    622d1add9dc24668645c9f2cec4b98e6e7b0844c

  • SHA256

    366abc9d1566f2044e6fe08f69439bdc36ea75f2e1ef04dd58636e64d56bc523

  • SHA512

    155306a61bed0acfe2dbee365a4c0b24722d94db2178a14f3747ba5dcb0084154b50172a91c1b1f0f4f636cd6b43d1b44498f1c28fa8437e05c6dab95837e268

  • SSDEEP

    3072:grCtm+fjNOWxn3tFy2eO8EOHUn2fIqkCzbyTo9kbIJEfxFGbraBm/vctFIup58zI:sum+roWJtceMHU27H6o9TgG8p5Ao

Malware Config

Extracted

Family

warzonerat

C2

185.157.162.75:4002

Extracted

Family

remcos

Botnet

Chinese

C2

185.157.162.75:2222

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-QRVWLS

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    PowerPc

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      a9dd1949b6cebf4da3a7b185ade44cba.js

    • Size

      288KB

    • MD5

      560fae86873f8e47bcfb89e7d4e21e16

    • SHA1

      622d1add9dc24668645c9f2cec4b98e6e7b0844c

    • SHA256

      366abc9d1566f2044e6fe08f69439bdc36ea75f2e1ef04dd58636e64d56bc523

    • SHA512

      155306a61bed0acfe2dbee365a4c0b24722d94db2178a14f3747ba5dcb0084154b50172a91c1b1f0f4f636cd6b43d1b44498f1c28fa8437e05c6dab95837e268

    • SSDEEP

      3072:grCtm+fjNOWxn3tFy2eO8EOHUn2fIqkCzbyTo9kbIJEfxFGbraBm/vctFIup58zI:sum+roWJtceMHU27H6o9TgG8p5Ao

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks