General

  • Target

    Remcos 3.8.0 Proffesional.exe

  • Size

    5.9MB

  • Sample

    220915-rhkvesdcg7

  • MD5

    1ce4214544f0a7043eefbe8e5bd40f8b

  • SHA1

    0cf65c2da5bac5f5f41fc4e7409df2dd6b5ed15e

  • SHA256

    91b0783d638cd5e8f4bf75d527f154259c5ed6acc1906450b99e332453d48979

  • SHA512

    76db21245ef94d48f7cf54cca6132251ecdc1c11775c9b369ea76b6a5eae6ccfd1bc2779c0368b189b71199535a08ba3cd12f18e5a16ae5b99e2ad55898ffc1b

  • SSDEEP

    98304:fBBph+6IxhSsqa2AsIaZsX6/ejeyp3AJeQMc5evmqclrz6T:fBBpYXcsqay1s1eyWp15IV

Malware Config

Extracted

Family

netwire

C2

127.0.0.1:3360

ast3rhost.ddns.net:57441

Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    HostId-%Rand%

  • install_path

    %AppData%\Updates64\Updater64.exe

  • keylogger_dir

    Windows Systems Update.lnk

  • lock_executable

    false

  • mutex

    OMuLlWeg

  • offline_keylogger

    false

  • password

    Aster21

  • registry_autorun

    false

  • use_mutex

    false

Extracted

Family

warzonerat

C2

ast3rhost.ddns.net:55557

Targets

    • Target

      Remcos 3.8.0 Proffesional.exe

    • Size

      5.9MB

    • MD5

      1ce4214544f0a7043eefbe8e5bd40f8b

    • SHA1

      0cf65c2da5bac5f5f41fc4e7409df2dd6b5ed15e

    • SHA256

      91b0783d638cd5e8f4bf75d527f154259c5ed6acc1906450b99e332453d48979

    • SHA512

      76db21245ef94d48f7cf54cca6132251ecdc1c11775c9b369ea76b6a5eae6ccfd1bc2779c0368b189b71199535a08ba3cd12f18e5a16ae5b99e2ad55898ffc1b

    • SSDEEP

      98304:fBBph+6IxhSsqa2AsIaZsX6/ejeyp3AJeQMc5evmqclrz6T:fBBpYXcsqay1s1eyWp15IV

    • Luca Stealer

      Info stealer written in Rust first seen in July 2022.

    • Luca Stealer payload

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks