Overview

overview

10

Static

static

7

Acordx_protected.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Acordx_protected.exe

  • Size

    7.6MB

  • Sample

    230525-hnmfrsge49

  • MD5

    2c973cde88509f88aeedddb30d78b7a1

  • SHA1

    708b76a1d72cafeb1c5e80e54ba2f1881af42591

  • SHA256

    9ec95ba3045441faf26617148720dfeec0dccd106813ee6ab3fe9157579cf78e

  • SHA512

    52acfff5952e22e158a30f113b4427b8ee127ec920ed6a8f43e1dea9289565ee880bc16e06a3895fcf2b58af771c54701802975c3e45e41ad402e80da7ed2fea

  • SSDEEP

    196608:RENPY7533CN1ac1mTWkKqiDnYYI0JFMWoAV/oc:GG5wvET/TiDnYK/o

Score
10/10
asyncratechelonredlineremcossectopratcheatdefaulthostvenom clientsevasioninfostealerpersistenceratspywarestealerthemidatrojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

soon-lp.at.ply.gg:17209

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    svchost.exe

  • copy_folder

    SystemFiles

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_yxpjpevccr

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    svchost

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

redline

Botnet

cheat

C2

soon-lp.at.ply.gg:17209

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

soon-lp.at.ply.gg:17209

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    true

  • install_file

    Elhost.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

5.0.5

Botnet

Venom Clients

C2

soon-lp.at.ply.gg:17209

Mutex

Venom_RAT_HVNC_Mutex_Venom RAT_HVNC

Attributes
  • delay

    1

  • install

    true

  • install_file

    WinDick.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

VenomRAT_HVNC 5.0.4

Botnet

Venom Clients

C2

soon-lp.at.ply.gg:17209

Mutex

gegK1OS7D

Attributes
  • delay

    0

  • install

    true

  • install_file

    WinDuck.exe

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      Acordx_protected.exe

    • Size

      7.6MB

    • MD5

      2c973cde88509f88aeedddb30d78b7a1

    • SHA1

      708b76a1d72cafeb1c5e80e54ba2f1881af42591

    • SHA256

      9ec95ba3045441faf26617148720dfeec0dccd106813ee6ab3fe9157579cf78e

    • SHA512

      52acfff5952e22e158a30f113b4427b8ee127ec920ed6a8f43e1dea9289565ee880bc16e06a3895fcf2b58af771c54701802975c3e45e41ad402e80da7ed2fea

    • SSDEEP

      196608:RENPY7533CN1ac1mTWkKqiDnYYI0JFMWoAV/oc:GG5wvET/TiDnYK/o

    Score
    10/10
    asyncratechelonredlineremcossectopratcheatdefaulthostvenom clientsevasioninfostealerpersistenceratspywarestealerthemidatrojan

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Detects Echelon Stealer payload

    • Echelon

      Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

      stealerspywareechelon

    • Modifies WinLogon for persistence

      persistence

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • UAC bypass

      evasiontrojan

    • Async RAT payload

      rat

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Adds policy Run key to start application

      persistence

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Themida packer

      Detects Themida, an advanced Windows software protection system.

      themida

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Modifies WinLogon

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks