Resubmissions
13-06-2023 15:08
230613-sh5ehagg67 1012-06-2023 12:37
230612-ptx8sacc46 1009-06-2023 19:42
230609-yevzjsea3z 1008-06-2023 16:59
230608-vhg1bahg5z 1007-06-2023 18:26
230607-w3ealaec62 1007-06-2023 18:23
230607-w1vjsseg31 1006-06-2023 14:12
230606-rjb9nsea66 1005-06-2023 13:48
230605-q395dagh57 1002-06-2023 11:55
230602-n3t22sbe8z 1030-05-2023 13:02
230530-p98pfsaa3x 10General
-
Target
a.bin
-
Size
5KB
-
Sample
230613-sh5ehagg67
-
MD5
8ce1f6882edc51f701bbe648e40dd133
-
SHA1
496b3df4657e9d11df14a8ad267061d97249b511
-
SHA256
188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
-
SHA512
5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
-
SSDEEP
48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt
Malware Config
Extracted
asyncrat
1.0.7
Default
192.168.175.1:1800
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
remcos
Ares
nov231122.con-ip.com:7476
-
audio_folder
MicRecords
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
Windowsecurity.exe
-
copy_folder
Security Windows
-
delete_file
true
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Remcos-L3UAVE
-
screenshot_crypt
false
-
screenshot_flag
true
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
true
-
take_screenshot_time
5
Extracted
quasar
1.4.0
newcrypt
103.136.199.131:4782
158.247.227.231:4782
973aa178-3f17-48ed-b33e-52dd11425768
-
encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome Updater
-
subdirectory
SubDir
Extracted
remcos
4.6.0 Light
RemoteHost
127.0.0.1:1800
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-C9JE9X
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
remcos
Layouts
datbuggy.servepics.com:58003
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7OBYTV
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
agenttesla
https://api.telegram.org/bot5954474519:AAEGnfW1mRvGRxq-zIAvwJfpKEbhLLiqVaM/
Extracted
quasar
1.4.0
hplus20230325
103.136.199.131:4782
158.247.227.231:4782
17eb206f-a56e-4361-a18e-7ca16f3b99cc
-
encryption_key
3E9E141AD83C5BD6CE91880C0E256E15401EC674
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Google Chrome Updater
-
subdirectory
SubDir
Extracted
laplas
http://45.159.189.105
-
api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4
Targets
-
-
Target
a.bin
-
Size
5KB
-
MD5
8ce1f6882edc51f701bbe648e40dd133
-
SHA1
496b3df4657e9d11df14a8ad267061d97249b511
-
SHA256
188e97ba18d7394cb3949e66c8aeb062e3ea8675371d0ee2b5126b52366530ae
-
SHA512
5826ea307fa12db5a8005fae8758314c0810e956ead3504fda7cadaccdbe737d609dfdfdc51996ab2eb350eae20398f8fbb97b16aa01f2af373c1ba20767d7d6
-
SSDEEP
48:6jtGAK8lb9ivcfaFSfkQLJhyPFlL8thCb/IExQpwOulavTqXSfbNtm:OI0iUaakQqDgtmQpmsvNzNt
Score10/10-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload
-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Async RAT payload
-
Downloads MZ/PE file
-
Modifies Windows Firewall
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads data files stored by FTP clients
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-