Overview

overview

10

Static

static

1

'

windows7-x64

1

'

windows10-2004-x64

1

Angela_White_JPG.vbs

windows7-x64

1

Angela_White_JPG.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Angela_White_JPG.zip

  • Size

    322KB

  • Sample

    231122-j3l9zsbb54

  • MD5

    1e39b990643671609207586826a3b9ea

  • SHA1

    1d850f1ef557e47fdbce8eecc56bc4a6765189e3

  • SHA256

    87472cf680b74aac4100b172a75b892b1d6c48427f6efb47bffc1902dfd6a621

  • SHA512

    ac66b11d310f98a414df292fa561232f6e1b98ac80bb27865fd0ec31bd4f777235f07b2585afd9d7e9d2986f36e0f98035fd837df09fd52c52cacd4b5f65c193

  • SSDEEP

    6144:M1ZqZy6ZraZWIUVBjpDL5TdivHY7L4eKpDHHV6x85/NRVyMLUVfLIImoGRTH:MfqZy69LpH5qY34e+nVE85gjpIrRD

Score
10/10
asyncratremcos2023 new nnfudkospersistencerat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

FUD

C2

141.95.84.40:4291

Mutex

acw2

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

remcos

Botnet

KOS

C2

141.95.84.40:1010

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    logswin64

  • mouse_option

    false

  • mutex

    Rmc-9GHGK3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

2023 NEW nn

C2

snackdoom94.hopto.org:39

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-40NWT9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      '

    • Size

      697KB

    • MD5

      2a21115867353c3cb04732f5b175c1d3

    • SHA1

      076c30b453a4c7684b116f02dc251b0b48b700f9

    • SHA256

      5a406f27014327ba0a27040e03e7c106a0db28e11cf55679ef711ad8da09f6b8

    • SHA512

      2bfd8a6199823a355a0945075334a4541743399503c731175c56b6f34af81cd39151d91d140a67211528e21f799c28d1f362f8e09a101b32552d1bf25738a058

    • SSDEEP

      12288:m+Ep3f1vWkq0c0hjfkACwsu4Qk/CYaw+EKWM3:m+E7WUEpwsu6/CYT+EKv3

    Score
    1/10
    behavioral1behavioral2

    • Target

      Angela_White_JPG.vbs

    • Size

      111KB

    • MD5

      101629a8b4fcd639c67610a9e2c1092a

    • SHA1

      549da348789e4629ab208a4522b6d4167349c9ad

    • SHA256

      e27df88174a2ffb119da0f082a2f7eb86aa1951236c9c0fd4854418469a1ded8

    • SHA512

      5e4ee43a3a1b7e624be4602572a2d642ecb7b385beaeb7c17acf66f380f5e17cbd22234ee3b18cfac15339c31b6502ac746e937f27600db1dbe84e46ec6964f0

    • SSDEEP

      3072:Q03pXdSenFkCum03pvfpp03pp03pp03pA:LSeQr5

    Score
    10/10
    asyncratremcos2023 new nnfudkospersistencerat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Registers COM server for autorun

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks