Malware sandboxing report by Hatching Triage

General

Target

f29f6dc54c33b2aae2950019ee54b04c.bin
Size

624KB
Sample

230123-mdklmsee6v
MD5

c1ac94c94446bff66f6765a0d1cf51ba
SHA1

dcf1c0e8713284081067c083fd4ff0aec394a8b6
SHA256

91597ce5a72f7c3fe4e517d2f627c2877bec5a829e66ba70ab3fb797c10bcf6e
SHA512

e9cd258622a374c88b9efdce9783e51e45e213c392c82de1ed09ecd51b8d2644eed6e404c9c5c3ad9ff0dd0ad92f9279b529c931e1e0497938e3bfda621ac1f1
SSDEEP

12288:YdEDng1SsYvtq/Znasdi9ndKEeaj4Nb0v3K/bFwv9N59qfFV0O2e:Y2DFXc/HwddLea00C/bFu9N59QV0pe

Score

10^/10

Malware Config

Extracted

Family

raccoon

Botnet

75ea4cb7f040eb3056eaa4e86a3a9d6c

C2

http://91.215.85.146/

rc4.plain

Extracted

Family

azorult

C2

http://195.245.112.115/index.php

Extracted

Family

remcos

Botnet

1122023

C2

nikahuve.ac.ug:65214

kalskala.ac.ug:65214

tuekisaa.ac.ug:65214

parthaha.ac.ug:65214

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
vgbvfxs.dat
keylog_flag
false
keylog_folder
fsscbas
keylog_path
%AppData%
mouse_option
false
mutex
fdsgsdmhj-9K01C1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539.exe
- Size
  
  831KB
- MD5
  
  f29f6dc54c33b2aae2950019ee54b04c
- SHA1
  
  c37d98a04edbe68fbd4e054fe0e96b1c926460ea
- SHA256
  
  8c5df030de0c79f2155a60e0d5f41889ec8d07d441279d406996dca4639f8539
- SHA512
  
  3205deea23d0655968935d26028e895d10b82594afc0ce17a5e2454a4c50584dc11564f0f1acf46ec0cc41dc0b6d3e638803934649f5834c75b04e708473967c
- SSDEEP
  
  24576:Mf78hVkC6gGhgfyNbpiODGsSm+FGUz9q:MAhf6gGhgab6shWz
Score

10^/10

azorult raccoon remcos xmrig 1122023 75ea4cb7f040eb3056eaa4e86a3a9d6c bootkit discovery evasion infostealer miner persistence rat spyware stealer trojan
- Azorult
  An information stealer that was first discovered in 2016, targeting browsing history and passwords.
  trojan infostealer azorult
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Installed Components in the registry
  persistence
- Registers COM server for autorun
  persistence
- Sets file execution options in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of SetThreadContext
behavioral1