redline

Target

a.bin
Size

5KB
Sample

230608-vhg1bahg5z
MD5

8ce1f6882edc51f701bbe648e40dd133
SHA1

496b3df4657e9d11df14a8ad267061d97249b511
SHA256

188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
SHA512

5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
SSDEEP

48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://transparenciacanaa.com.br/cidadejunina/js/vendor/debug2.ps1

Extracted

Family

remcos

Botnet

RemoteHost

pekonomiana.duckdns.org:30491

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EORWFM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

remcos

Botnet

RemotefHostf

94.142.138.111:5701

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
rfmcos.exe
copy_folder
Rfmcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmcf-6KJV62
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

redline

Botnet

muha

83.97.73.129:19068

Attributes

auth_value
3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

crazy

83.97.73.129:19068

Attributes

auth_value
66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

duha

83.97.73.129:19068

Attributes

auth_value
aafe99874c3b8854069470882e00246c

Extracted

Family

warzonerat

193.42.32.191:8282

Targets

- Target
  
  a.bin
- Size
  
  5KB
- MD5
  
  8ce1f6882edc51f701bbe648e40dd133
- SHA1
  
  496b3df4657e9d11df14a8ad267061d97249b511
- SHA256
  
  188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
- SHA512
  
  5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
- SSDEEP
  
  48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt
Score

10^/10

redline remcos warzonerat crazy duha muha remotefhostf remotehost evasion infostealer persistence rat upx vmprotect
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- WarzoneRat, AveMaria
  WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
  rat infostealer warzonerat
- Warzone RAT payload
  rat
- Downloads MZ/PE file
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1