General
-
Target
Remcos 3.8.0 Proffesional.exe
-
Size
5.9MB
-
Sample
220915-rhkvesdcg7
-
MD5
1ce4214544f0a7043eefbe8e5bd40f8b
-
SHA1
0cf65c2da5bac5f5f41fc4e7409df2dd6b5ed15e
-
SHA256
91b0783d638cd5e8f4bf75d527f154259c5ed6acc1906450b99e332453d48979
-
SHA512
76db21245ef94d48f7cf54cca6132251ecdc1c11775c9b369ea76b6a5eae6ccfd1bc2779c0368b189b71199535a08ba3cd12f18e5a16ae5b99e2ad55898ffc1b
-
SSDEEP
98304:fBBph+6IxhSsqa2AsIaZsX6/ejeyp3AJeQMc5evmqclrz6T:fBBpYXcsqay1s1eyWp15IV
Malware Config
Extracted
netwire
127.0.0.1:3360
ast3rhost.ddns.net:57441
-
activex_autorun
false
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
-
install_path
%AppData%\Updates64\Updater64.exe
-
keylogger_dir
Windows Systems Update.lnk
-
lock_executable
false
-
mutex
OMuLlWeg
-
offline_keylogger
false
-
password
Aster21
-
registry_autorun
false
-
use_mutex
false
Extracted
warzonerat
ast3rhost.ddns.net:55557
Targets
-
-
Target
Remcos 3.8.0 Proffesional.exe
-
Size
5.9MB
-
MD5
1ce4214544f0a7043eefbe8e5bd40f8b
-
SHA1
0cf65c2da5bac5f5f41fc4e7409df2dd6b5ed15e
-
SHA256
91b0783d638cd5e8f4bf75d527f154259c5ed6acc1906450b99e332453d48979
-
SHA512
76db21245ef94d48f7cf54cca6132251ecdc1c11775c9b369ea76b6a5eae6ccfd1bc2779c0368b189b71199535a08ba3cd12f18e5a16ae5b99e2ad55898ffc1b
-
SSDEEP
98304:fBBph+6IxhSsqa2AsIaZsX6/ejeyp3AJeQMc5evmqclrz6T:fBBpYXcsqay1s1eyWp15IV
Score10/10-
Luca Stealer
Info stealer written in Rust first seen in July 2022.
-
Luca Stealer payload
-
NetWire RAT payload
-
Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Warzone RAT payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-