Overview

overview

10

Static

static

3

New Compre...er.zip

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    New Compressed (zipped) Folder.zip

  • Size

    253KB

  • Sample

    231213-cbanjsedfk

  • MD5

    53dc6576ef56a38db13c8a1d9e0418b6

  • SHA1

    259b66652dc7e4611d664834d59808adf92285a9

  • SHA256

    4640e7ead55a52ee5ecf0d1f6625f78e04bc604eb63f3767e877da8c186175ce

  • SHA512

    d53a4137b12ee20a88a4f01210ecb3459b71a6c10238dc179e019cacda80e7013a148d0b156fadcb5b094007adaeaef76b6f35d09674c4169369182b980cf32b

  • SSDEEP

    6144:DckacEQLtW4qdCNSooiLsiUwfD48XCQgIhGQ2kR/G0puNDArB3:4xoW4SULsiUUD4E3gIAQ2/xY3

Score
10/10
agentteslaremcosremotehostkeyloggerratspywarestealertrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://bitbucket.org/!api/2.0/snippets/roootscauses/xqXo9n/cabaf10ca36d2fd137afe6909c393a2e3293dc4c/files/elanawork.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840
exe.dropper

https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840

Extracted

Language
hta
Source
URLs
hta.dropper

https://bitbucket.org/!api/2.0/snippets/roootscauses/bqxMzd/fb4c52533bbd299e32e82694f8039669d184e596/files/moye.html

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840
exe.dropper

https://uploaddeimagens.com.br/images/004/667/608/original/hta.jpg?1700268840

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://uploaddeimagens.com.br/images/004/683/779/original/download.jpg?1701878864
exe.dropper

https://uploaddeimagens.com.br/images/004/683/779/original/download.jpg?1701878864

Extracted

Family

remcos

Botnet

RemoteHost

C2

lora1.safesopkoco.com:2404

lora2.safesopkoco.com:2404

safesopkoco.com:2404

masterbotsbrothers.xyz:2404

mota1.masterbotsbrothers.xyz:2404

mota2.masterbotsbrothers.xyz:2404

lora1.safesopkoco.co:2404

lora2.safesopkoco.co:2404

lora2.safesopko.net:2404

lora1.safesopko.net:2404
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-D4J8YD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6846062945:AAGabPi9vxKPIKfVbRT2fLEd-Rnu3DtD_6I/

Targets

    • Target

      New Compressed (zipped) Folder.zip

    • Size

      253KB

    • MD5

      53dc6576ef56a38db13c8a1d9e0418b6

    • SHA1

      259b66652dc7e4611d664834d59808adf92285a9

    • SHA256

      4640e7ead55a52ee5ecf0d1f6625f78e04bc604eb63f3767e877da8c186175ce

    • SHA512

      d53a4137b12ee20a88a4f01210ecb3459b71a6c10238dc179e019cacda80e7013a148d0b156fadcb5b094007adaeaef76b6f35d09674c4169369182b980cf32b

    • SSDEEP

      6144:DckacEQLtW4qdCNSooiLsiUwfD48XCQgIhGQ2kR/G0puNDArB3:4xoW4SULsiUUD4E3gIAQ2/xY3

    Score
    10/10
    agentteslaremcosremotehostkeyloggerratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Drops startup file

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks