General
-
Target
ABJ.bat
-
Size
49KB
-
Sample
230117-zths7scc4t
-
MD5
e08706212a60d07fe1004e36519eaae2
-
SHA1
6a240f93656757c78537605f55690248db9117dd
-
SHA256
f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc
-
SHA512
c10eeb8f95749d440b41d9dc4cfe8a8b16222157131dc5850902ef9bdebd5f16a1d52dc0355ac736bee90d1263c875feec3335e5c54d3ed5d018863aadf11872
-
SSDEEP
1536:ntXaPUY6USCuhyoQp9ud+w5BNb2mRtONmxS:VasY2QoQGo4Nbbtqm4
Static task
static1
Behavioral task
behavioral1
Sample
ABJ.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ABJ.bat
Resource
win10-20220812-en
Behavioral task
behavioral3
Sample
ABJ.bat
Resource
win10v2004-20221111-en
Malware Config
Extracted
asyncrat
0.5.7B
Default
45.133.174.122:6606
45.133.174.122:7707
45.133.174.122:8808
AsyncMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
quasar
1.4.0
Office04
45.133.174.122:4782
05e23cca-0e53-471b-8856-2336383c54a1
-
encryption_key
BBB05B540BFD17C177E52F7CD97CAB7C830BA90C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
remcos
RemoteHost
prosir.casacam.net:2404
amalar.camdvr.org:2404
stopeet.camdvr.org:2404
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Remcos-2L1UUQ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
-
take_screenshot_title
notepad;solitaire;
Targets
-
-
Target
ABJ.bat
-
Size
49KB
-
MD5
e08706212a60d07fe1004e36519eaae2
-
SHA1
6a240f93656757c78537605f55690248db9117dd
-
SHA256
f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc
-
SHA512
c10eeb8f95749d440b41d9dc4cfe8a8b16222157131dc5850902ef9bdebd5f16a1d52dc0355ac736bee90d1263c875feec3335e5c54d3ed5d018863aadf11872
-
SSDEEP
1536:ntXaPUY6USCuhyoQp9ud+w5BNb2mRtONmxS:VasY2QoQGo4Nbbtqm4
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
NetWire RAT payload
-
Quasar payload
-
Async RAT payload
-
ModiLoader Second Stage
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-