Overview

overview

10

Static

static

3

4363463463...63.exe

windows10-2004-x64

10

Resubmissions

11-02-2024 08:10

240211-j212ragb47 10

11-02-2024 08:09

240211-j2kprseb2w 10

09-02-2024 18:28

240209-w4c4xsde9t 10

02-02-2024 12:52

240202-p4dxwsgfej 10

02-02-2024 12:45

240202-pzapnsgdbp 10

16-01-2024 15:29

240116-sw8dbaehh3 10

10-01-2024 14:41

240110-r2wq2ahchl 10

10-01-2024 13:29

240110-qrqatshbg3 10

22-12-2023 08:48

231222-kqp1sadghq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4363463463464363463463463.bin.zip

  • Size

    4KB

  • Sample

    240211-j2kprseb2w

  • MD5

    4204f7bcb4ce002240de2af9fc5f4264

  • SHA1

    83fb5688b0cffa93b06719d0fc5b62f70af460c5

  • SHA256

    0c951f58a23cd2c9bdccb727d41e33e740344af36d91419907ce016977b2a62d

  • SHA512

    75a636889904293bb493957af9fecf5ad044ff44bb82c07b550473e6af45931ece7f2e72b53891a90c4045f8d816752414c560d2486f055824f069e6573bf103

  • SSDEEP

    96:fq6yIIHV+fWsPpulzlC8luqtW5idkvRmb/DLr2OtWtvJAsO13uhy5RKd9Wj:BIHV8WN5lu4iiTD/COtSvJAF1Gy5RKdC

Score
10/10
remcosvidarzgrat1827go!!!ratstealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://houssagynecologue.com/assets/js/debug2.ps1

Extracted

Family

vidar

Version

55.7

Botnet

1827

C2

https://t.me/deadftx

https://www.ultimate-guitar.com/u/smbfupkuhrgc1

http://116.202.2.1:80
Attributes
  • profile_id

    1827

Extracted

Family

remcos

Botnet

Go!!!

C2

dangerous.hopto.org:2404

dangerous.hopto.org:2602

91.92.242.184:2602

91.92.242.184:2404
Attributes
  • audio_folder

    ??????????? ??????

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    taskhost.exe

  • copy_folder

    System32

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    tapiui.dat

  • keylog_flag

    false

  • keylog_folder

    System32

  • mouse_option

    false

  • mutex

    ???-LDKG91

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    ?????????

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      4363463463464363463463463.bin

    • Size

      10KB

    • MD5

      2a94f3960c58c6e70826495f76d00b85

    • SHA1

      e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

    • SHA256

      2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

    • SHA512

      fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

    • SSDEEP

      192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

    Score
    10/10
    remcosvidarzgrat1827go!!!ratstealer

    • Detect ZGRat V1

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks