General

  • Target

    e3ce5f697801526877917b3573ca7b1c0f429d3955fa9d85c040115dadc98bfd

  • Size

    351KB

  • Sample

    221203-kb78tagg24

  • MD5

    1f229068fd0ed29480b7bb56f8f9f5cd

  • SHA1

    a604a273caddd4dbd8f47f403ccee95428ed2d41

  • SHA256

    e3ce5f697801526877917b3573ca7b1c0f429d3955fa9d85c040115dadc98bfd

  • SHA512

    f39f15454e5d0a861a61445cab9b206a29156e6525e6d24fa8e023079f1500c051a50a1da1164ee6b936d55a34dd9e5931ee03d9df30dca2eb30406c9b5925a4

  • SSDEEP

    6144:mDzg3CaHYhsTVB8pZcJcAEi64nMW2RqnwkYi:mDaCaH1BWBAEfmMW3nY

Malware Config

Extracted

Family

vidar

Version

56

Botnet

1148

C2

https://t.me/asifrazatg

https://steamcommunity.com/profiles/76561199439929669

Attributes
  • profile_id

    1148

Extracted

Family

amadey

Version

3.50

C2

62.204.41.252/nB8cWack3/index.php

Extracted

Family

vidar

Version

56

Botnet

1881

C2

https://t.me/asifrazatg

https://steamcommunity.com/profiles/76561199439929669

Attributes
  • profile_id

    1881

Extracted

Family

remcos

Botnet

scamalert

C2

de1.localtonet.com:34865

de1.localtonet.com:35212

de1.localtonet.com:46294

de1.localtonet.com:32877

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-L2WD9C

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      e3ce5f697801526877917b3573ca7b1c0f429d3955fa9d85c040115dadc98bfd

    • Size

      351KB

    • MD5

      1f229068fd0ed29480b7bb56f8f9f5cd

    • SHA1

      a604a273caddd4dbd8f47f403ccee95428ed2d41

    • SHA256

      e3ce5f697801526877917b3573ca7b1c0f429d3955fa9d85c040115dadc98bfd

    • SHA512

      f39f15454e5d0a861a61445cab9b206a29156e6525e6d24fa8e023079f1500c051a50a1da1164ee6b936d55a34dd9e5931ee03d9df30dca2eb30406c9b5925a4

    • SSDEEP

      6144:mDzg3CaHYhsTVB8pZcJcAEi64nMW2RqnwkYi:mDaCaH1BWBAEfmMW3nY

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    • Detect Amadey credential stealer module

    • Detects Smokeloader packer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads local data of messenger clients

      Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses 2FA software files, possible credential harvesting

    • Accesses Microsoft Outlook accounts

    • Accesses Microsoft Outlook profiles

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

4
T1081

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Command and Control

Web Service

1
T1102

Tasks