General

  • Target

    ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f

  • Size

    2.1MB

  • Sample

    221130-zja1lsgb8z

  • MD5

    da10ff1e72683c714b10987686b9d695

  • SHA1

    4990862369970af40430125e4cf3376fc8ea33cf

  • SHA256

    ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f

  • SHA512

    f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63

  • SSDEEP

    49152:41TJDnj5Bf7ZRw8BxsqGg/FoK02W643x9HTQp:CTJbNBfjwisqGg/vm6efHTQ

Malware Config

Extracted

Family

remcos

Botnet

PeterObi2023

C2

76.8.53.133:1198

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    sdfge.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    fghoiuytr.dat

  • keylog_flag

    false

  • mouse_option

    false

  • mutex

    fghjcvbn-UURPOS

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    dfghrtyu

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

IYKE

C2

76.8.53.133:1198

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    explorer.exe

  • copy_folder

    machines

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    12345MEEE

  • mouse_option

    false

  • mutex

    12345MEEE-NS9UK1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    explorer

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

warzonerat

C2

76.8.53.133:1198

Targets

    • Target

      ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f

    • Size

      2.1MB

    • MD5

      da10ff1e72683c714b10987686b9d695

    • SHA1

      4990862369970af40430125e4cf3376fc8ea33cf

    • SHA256

      ef520dd1c4f60b215ada787cd507ba5e72933a04eba01c9cd81496860de5bf0f

    • SHA512

      f124430db1e6e85a1137a3eba5ae8b3823b264c1bbccc93ccbac738ab5bd45aac7dc46fa97f1b62421c0ab0d3ed46b9d0cb5cbb3ff44eea7c756a813e7bdde63

    • SSDEEP

      49152:41TJDnj5Bf7ZRw8BxsqGg/FoK02W643x9HTQp:CTJbNBfjwisqGg/vm6efHTQ

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    • Warzone RAT payload

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks