General
-
Target
Acordx_protected.exe
-
Size
7.6MB
-
Sample
230525-hnmfrsge49
-
MD5
2c973cde88509f88aeedddb30d78b7a1
-
SHA1
708b76a1d72cafeb1c5e80e54ba2f1881af42591
-
SHA256
9ec95ba3045441faf26617148720dfeec0dccd106813ee6ab3fe9157579cf78e
-
SHA512
52acfff5952e22e158a30f113b4427b8ee127ec920ed6a8f43e1dea9289565ee880bc16e06a3895fcf2b58af771c54701802975c3e45e41ad402e80da7ed2fea
-
SSDEEP
196608:RENPY7533CN1ac1mTWkKqiDnYYI0JFMWoAV/oc:GG5wvET/TiDnYK/o
Malware Config
Extracted
remcos
1.7 Pro
Host
soon-lp.at.ply.gg:17209
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
svchost.exe
-
copy_folder
SystemFiles
-
delete_file
false
-
hide_file
true
-
hide_keylog_file
false
-
install_flag
true
-
install_path
%AppData%
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_yxpjpevccr
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
svchost
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
redline
cheat
soon-lp.at.ply.gg:17209
Extracted
asyncrat
1.0.7
Default
soon-lp.at.ply.gg:17209
DcRatMutex_qwqdanchun
-
delay
1
-
install
true
-
install_file
Elhost.exe
-
install_folder
%AppData%
Extracted
asyncrat
5.0.5
Venom Clients
soon-lp.at.ply.gg:17209
Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
-
delay
1
-
install
true
-
install_file
WinDick.exe
-
install_folder
%AppData%
Extracted
asyncrat
VenomRAT_HVNC 5.0.4
Venom Clients
soon-lp.at.ply.gg:17209
gegK1OS7D
-
delay
0
-
install
true
-
install_file
WinDuck.exe
-
install_folder
%AppData%
Targets
-
-
Target
Acordx_protected.exe
-
Size
7.6MB
-
MD5
2c973cde88509f88aeedddb30d78b7a1
-
SHA1
708b76a1d72cafeb1c5e80e54ba2f1881af42591
-
SHA256
9ec95ba3045441faf26617148720dfeec0dccd106813ee6ab3fe9157579cf78e
-
SHA512
52acfff5952e22e158a30f113b4427b8ee127ec920ed6a8f43e1dea9289565ee880bc16e06a3895fcf2b58af771c54701802975c3e45e41ad402e80da7ed2fea
-
SSDEEP
196608:RENPY7533CN1ac1mTWkKqiDnYYI0JFMWoAV/oc:GG5wvET/TiDnYK/o
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Detects Echelon Stealer payload
-
Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
-
Modifies WinLogon for persistence
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
-
SectopRAT payload
-
UAC bypass
-
Async RAT payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Adds policy Run key to start application
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Themida packer
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application
-
Checks whether UAC is enabled
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-