General
-
Target
2fc0f46e2ceded0b284d4f41759de65e73532900202260b98769ebfaf3244951
-
Size
315KB
-
Sample
221130-bavfwsde58
-
MD5
6b799c28f694b2e8db9cfdff5c95a04a
-
SHA1
796e5b4cb417d31f7a3090b45d50d3b89b22438b
-
SHA256
44e479b36da63681c0313093fb2eba339581b8ba51d40b7f35191664b6a03590
-
SHA512
d44405e4b68dccd68b2eea076de9ee74716921ee09d873231af99d3a7298886bdc8ac29916ee0d87eb20e8bba553726c26d1a2ffbaac4a31f71797b505164eeb
-
SSDEEP
6144:TPZpOOaTvL6p+1+Ud4xajiuzopB9Rdm1pRjWBk0OVpWy8Ri:TPnOzTvL6ZW48jiu8pB9RdmpRqBk0Y4i
Malware Config
Extracted
| Family |
raccoon |
| Botnet |
5d704573a0f97fb52a93667085c18b77 |
| C2 |
http://193.106.191.150/ |
| rc4.plain |
|
Extracted
| Family |
azorult |
| C2 |
http://195.245.112.115/index.php |
Extracted
| Family |
remcos |
| Botnet |
11262022 |
| C2 |
nikahuve.ac.ug:65214 kalskala.ac.ug:65214 tuekisaa.ac.ug:65214 parthaha.ac.ug:65214 |
| Attributes |
audio_folder MicRecords
audio_path %AppData%
audio_record_time 5
connect_delay 0
connect_interval 1
copy_file remcos.exe
copy_folder Remcos
delete_file false
hide_file false
hide_keylog_file true
install_flag false
install_path %AppData%
keylog_crypt true
keylog_file vbfxs.dat
keylog_flag false
keylog_folder fsscbas
keylog_path %AppData%
mouse_option false
mutex dchfgsdmhj-JWMVH4
screenshot_crypt false
screenshot_flag false
screenshot_folder Screenshots
screenshot_path %AppData%
screenshot_time 10
startup_value Remcos
take_screenshot_option false
take_screenshot_time 5
take_screenshot_title notepad;solitaire; |
Targets
-
-
Target
2fc0f46e2ceded0b284d4f41759de65e73532900202260b98769ebfaf3244951
-
Size
912KB
-
MD5
b417d6f0345b7af1f5dfe584978d8546
-
SHA1
00e67099c87df3f1548793400b1193e423b2de18
-
SHA256
2fc0f46e2ceded0b284d4f41759de65e73532900202260b98769ebfaf3244951
-
SHA512
5a27af515f5913e59c754f49fffae145a76cf540ec4c2b460f08e8b5cd44a53f672b6fb42c845423d2c9ef03170e233d3c1a8ce9273f2a426375b526cd6f9b0c
-
SSDEEP
12288:OMBxceTvLcZWyM5h8pB9RdmpdKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKL:OuCeTAAyD9RdN9P9m
Score10/10-
Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
-
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation