General

  • Target

    2fc0f46e2ceded0b284d4f41759de65e73532900202260b98769ebfaf3244951

  • Size

    315KB

  • Sample

    221130-bavfwsde58

  • MD5

    6b799c28f694b2e8db9cfdff5c95a04a

  • SHA1

    796e5b4cb417d31f7a3090b45d50d3b89b22438b

  • SHA256

    44e479b36da63681c0313093fb2eba339581b8ba51d40b7f35191664b6a03590

  • SHA512

    d44405e4b68dccd68b2eea076de9ee74716921ee09d873231af99d3a7298886bdc8ac29916ee0d87eb20e8bba553726c26d1a2ffbaac4a31f71797b505164eeb

  • SSDEEP

    6144:TPZpOOaTvL6p+1+Ud4xajiuzopB9Rdm1pRjWBk0OVpWy8Ri:TPnOzTvL6ZW48jiu8pB9RdmpRqBk0Y4i

Malware Config

Extracted

Family

raccoon

Botnet

5d704573a0f97fb52a93667085c18b77

C2

http://193.106.191.150/

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

remcos

Botnet

11262022

C2

nikahuve.ac.ug:65214

kalskala.ac.ug:65214

tuekisaa.ac.ug:65214

parthaha.ac.ug:65214

Attributes
audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
vbfxs.dat
keylog_flag
false
keylog_folder
fsscbas
keylog_path
%AppData%
mouse_option
false
mutex
dchfgsdmhj-JWMVH4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

    • Target

      2fc0f46e2ceded0b284d4f41759de65e73532900202260b98769ebfaf3244951

    • Size

      912KB

    • MD5

      b417d6f0345b7af1f5dfe584978d8546

    • SHA1

      00e67099c87df3f1548793400b1193e423b2de18

    • SHA256

      2fc0f46e2ceded0b284d4f41759de65e73532900202260b98769ebfaf3244951

    • SHA512

      5a27af515f5913e59c754f49fffae145a76cf540ec4c2b460f08e8b5cd44a53f672b6fb42c845423d2c9ef03170e233d3c1a8ce9273f2a426375b526cd6f9b0c

    • SSDEEP

      12288:OMBxceTvLcZWyM5h8pB9RdmpdKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKL:OuCeTAAyD9RdN9P9m

    • Azorult

      An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    • Raccoon

      Raccoon is an infostealer written in C++ and first seen in 2019.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Command and Control

    Credential Access

    Defense Evasion

    Execution

      Exfiltration

        Impact

          Initial Access

            Lateral Movement

              Privilege Escalation

                Tasks