Overview

overview

10

Static

static

ABJ.bat

windows7-x64

8

ABJ.bat

windows10-1703-x64

10

ABJ.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ABJ.bat

  • Size

    49KB

  • Sample

    230117-zths7scc4t

  • MD5

    e08706212a60d07fe1004e36519eaae2

  • SHA1

    6a240f93656757c78537605f55690248db9117dd

  • SHA256

    f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc

  • SHA512

    c10eeb8f95749d440b41d9dc4cfe8a8b16222157131dc5850902ef9bdebd5f16a1d52dc0355ac736bee90d1263c875feec3335e5c54d3ed5d018863aadf11872

  • SSDEEP

    1536:ntXaPUY6USCuhyoQp9ud+w5BNb2mRtONmxS:VasY2QoQGo4Nbbtqm4

Score
10/10
asyncratmodiloadernetwirequasarremcosdefaultoffice04remotehostbotnetpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

45.133.174.122:6606

45.133.174.122:7707

45.133.174.122:8808
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

45.133.174.122:4782

Mutex

05e23cca-0e53-471b-8856-2336383c54a1

Attributes
  • encryption_key

    BBB05B540BFD17C177E52F7CD97CAB7C830BA90C

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

remcos

Botnet

RemoteHost

C2

prosir.casacam.net:2404

amalar.camdvr.org:2404

stopeet.camdvr.org:2404
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-2L1UUQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      ABJ.bat

    • Size

      49KB

    • MD5

      e08706212a60d07fe1004e36519eaae2

    • SHA1

      6a240f93656757c78537605f55690248db9117dd

    • SHA256

      f1a126ea617a045454badfb230b3bc86ee5c1ad5698c1285472f71fc8497cbfc

    • SHA512

      c10eeb8f95749d440b41d9dc4cfe8a8b16222157131dc5850902ef9bdebd5f16a1d52dc0355ac736bee90d1263c875feec3335e5c54d3ed5d018863aadf11872

    • SSDEEP

      1536:ntXaPUY6USCuhyoQp9ud+w5BNb2mRtONmxS:VasY2QoQGo4Nbbtqm4

    Score
    10/10
    asyncratquasardefaultoffice04ratspywaretrojanmodiloadernetwireremcosremotehostbotnetpersistencestealer

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

      ratasyncrat

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Async RAT payload

      rat

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks