Overview

overview

10

Static

static

3

vhvncN.exe

windows7-x64

8

vhvncN.exe

windows10-2004-x64

8

vjustca.exe

windows7-x64

10

vjustca.exe

windows10-2004-x64

10

vremcoss.exe

windows7-x64

10

vremcoss.exe

windows10-2004-x64

10

vvenomd.exe

windows7-x64

10

vvenomd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    vhvncN PRV.zip

  • Size

    2.7MB

  • Sample

    230609-3yf2ysdg53

  • MD5

    b774340174ff0e9ba16bb7c95b80a4df

  • SHA1

    84774450e17cf9c1ac5ca5b9d0ec0e15bc89a114

  • SHA256

    5ac69c8e54fb08fdc85586c8abf0ba19ebd2fecfab9007c6a6434ae47c513ff8

  • SHA512

    8020138741e511f4ad78aff435da07141080856247164ad3a669d80aff825779163ba2ceff4c0f15a1fb89625d4c87240f28f75b133bef17482e192446692303

  • SSDEEP

    49152:Z993i3/eIuQEjXwxUV2g8KPW5GqarBe1oTmqoaP7Mw:v1qe9QKXwX5GBrg1wmsP7Mw

Score
10/10
asyncratnanocoreremcosremotehostvenom clientsevasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

justkowir.duckdns.org:8550

Mutex

513a9907-f4ca-4a36-8f25-fcb7088c00a5

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    justkowir.duckdns.org

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2022-01-03T15:53:14.690945336Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    8550

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    513a9907-f4ca-4a36-8f25-fcb7088c00a5

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    justkowir.duckdns.org

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

remcos

Botnet

RemoteHost

C2

homoney177.duckdns.org:4056

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-QMN5BU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

VenomRAT 5.0.3

Botnet

Venom Clients

C2

ghankall40.duckdns.org:8890

Mutex

Venom_RAT_Mutex_Venom_RAT

Attributes
  • delay

    0

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      vhvncN.exe

    • Size

      300.0MB

    • MD5

      34986f9c6ea8dbe780f8265e149d9d10

    • SHA1

      919cbc39b8ae9586620668fcbf6e649edc37db89

    • SHA256

      9cef989fedcd6ed1c4e8af2d790f46a24a36cb594d06e2c79abba747b4f10e8e

    • SHA512

      bc618243a04e860e26fe0eae3d1144e4887d6e064b7a6722ec1ea56149f3b7db21303c943983e9f8ae19e289dff489ea1fc9a132cccb101383262a6da9d297fa

    • SSDEEP

      24576:C/vPm5sH02EZdKwZGPdQaAITXZwfrY1jsgEe:gZH0nZYw+QGTXijYVs

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      vjustca.exe

    • Size

      300.0MB

    • MD5

      1633635a687ccb7d5af9b5f8d23d99c7

    • SHA1

      82a39e06e75396a9523b0faa4f2e941c141c1240

    • SHA256

      677e3f8a442e90e3d4464887248c326e226c028ad708e2dae85a9f215654f7a0

    • SHA512

      5889baa375d46cb1413e473b3e8184e24bf17006ebd630650ef3de3c23379622f658d10bb233d4c9c8e41ddb52c73773e939685c79a6b742f31daeee3b6a586c

    • SSDEEP

      6144:CjRfbsw9j74aiGZcpFpD2+iNoKZsy8WU7g/ke2FYD5Fj1:5wl/sLDrimKh8WUkP2Fg

    Score
    10/10
    nanocoreevasionkeyloggerspywarestealertrojan

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      vremcoss.exe

    • Size

      300.0MB

    • MD5

      5e16a655613ab91693a8595b5c148a22

    • SHA1

      6c7b4797b27de085abc25c6e87be4b40f7380022

    • SHA256

      d89d2dc5477228526ab32eff6c588844118248ca2230e0f8248c2c1a072ad6c5

    • SHA512

      0f5b16310d0fb6dfd350d764397a57a087e35f1e0bf59ec3b477de78941e836971c9a9734f980a804bc7d0cc3964246b2cb4b459e459458102a081478af65ea2

    • SSDEEP

      12288:79k4AvS+CkGwjOl/cP4Ul535VJDXTksuvNiqPbXpr0zXed9:8S+yx/cP4WDVJfkt8qF0rU

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      vvenomd.exe

    • Size

      124.0MB

    • MD5

      068178e4813895c8767a99e20ab131eb

    • SHA1

      eb8bf68e2c940aaeb0b28e6f6cf0b87319c0a85f

    • SHA256

      cd8a35b004683e744b703c043bbc08e6b1c33aa673eb76637815c957b5dfea69

    • SHA512

      7aac9429cf4000a43887129b68dbe58acebc83098d36e7555b913c749e64a689afd180a02d20aabdff08e40ca56543c1224ea649b412df2a72c89a3e584dd526

    • SSDEEP

      3072:JZd+lPvbKJ9rVNFJ+VyMdX68C+wdJww6r50iis79KCTDd:5UvbUHP+VyMdDnwc5Fjp

    Score
    10/10
    asyncratvenom clientsrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

4
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

4
T1053

Privilege Escalation

Scheduled Task

4
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

6
T1012

System Information Discovery

11
T1082

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks