Overview

overview

10

Static

static

10

RAT/Adwind.jar

windows7-x64

1

RAT/Adwind.jar

windows10-2004-x64

10

RAT/Blackkomet.exe

windows7-x64

10

RAT/Blackkomet.exe

windows10-2004-x64

10

RAT/CobaltStrike.docm

windows7-x64

10

RAT/CobaltStrike.docm

windows10-2004-x64

10

RAT/CrimsonRAT.exe

windows7-x64

10

RAT/CrimsonRAT.exe

windows10-2004-x64

10

RAT/NJRat.exe

windows7-x64

10

RAT/NJRat.exe

windows10-2004-x64

10

RAT/NetWire.doc

windows7-x64

10

RAT/NetWire.doc

windows10-2004-x64

7

RAT/NetWire.exe

windows7-x64

10

RAT/NetWire.exe

windows10-2004-x64

10

RAT/Remcos.exe

windows7-x64

10

RAT/Remcos.exe

windows10-2004-x64

10

RAT/RevengeRAT.exe

windows7-x64

10

RAT/RevengeRAT.exe

windows10-2004-x64

10

RAT/VanToM-Rat.exe

windows7-x64

7

RAT/VanToM-Rat.exe

windows10-2004-x64

7

RAT/WarzoneRAT.exe

windows7-x64

10

RAT/WarzoneRAT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RAT.zip

  • Size

    4.6MB

  • Sample

    240303-bljhrsah7x

  • MD5

    dcedb9512531b041cb158200ebf0903a

  • SHA1

    13b4817400f28e7728bd3b73ca305f68de9a05da

  • SHA256

    0d6e873aa8faee0a896e6ac7679a216585933bc29bdd2c1bc006ce56a6e86818

  • SHA512

    dc9c0faed5d66855d8a48b87ccb1c29c33628ea44c83fa36a6a48ce043af89be6d9f4f9989fb1b5860ae4478a4e8aaae15b1e515e92147676b84b84219fa3160

  • SSDEEP

    98304:3Jgh27PjFtfeDmhXdckuXqxlPaD3xzt5XVn5/3t6:3JghwCD0adIpaDlttdn6

Score
10/10
crimsonratdarkcometmetasploitmodiloadernetwirenjratremcosrevengeratwarzoneratgeforceguesthostbackdoorbotnetdiscoveryevasioninfostealermacromacro_on_actionpersistenceratrezer0spywarestealertrojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Geforce

C2

startitit2-23969.portmap.host:1604

Mutex

b9584a316aeb9ca9b31edd4db18381f5

Attributes
  • reg_key

    b9584a316aeb9ca9b31edd4db18381f5

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

modiloader

C2

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Userdata.exe

  • copy_folder

    Userdata

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_vcexssuhap

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

revengerat

Botnet

Guest

C2

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Family

netwire

C2

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975
Attributes
  • activex_autorun

    false

  • copy_executable

    false

  • delete_original

    false

  • host_id

    AAAAA

  • lock_executable

    false

  • mutex

    CQbRXVuG

  • offline_keylogger

    false

  • password

    jhbkdcfgvdfgknl

  • registry_autorun

    false

  • use_mutex

    true

Extracted

Family

warzonerat

C2

168.61.222.215:5400

Extracted

Family

metasploit

Version

windows/download_exec

C2

http://149.129.72.37:23456/SNpK

Attributes
  • headers User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP09; NP09; MAAU)

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      RAT/Adwind.exe

    • Size

      5KB

    • MD5

      fe537a3346590c04d81d357e3c4be6e8

    • SHA1

      b1285f1d8618292e17e490857d1bdf0a79104837

    • SHA256

      bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

    • SHA512

      50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

    • SSDEEP

      96:w9fXh7CBF8l1cHRDOjY4YbiPkW7UW1g+dWi9sBSy3HQNm6wx2xC7vz5:GXh78hHRDOU4YWPk2J14i9E3ymBxW+

    Score
    10/10
    njratremcosdiscoveryrattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies file permissions

      discovery
    behavioral1behavioral2

    • Target

      RAT/Blackkomet.exe

    • Size

      756KB

    • MD5

      c7dcd585b7e8b046f209052bcd6dd84b

    • SHA1

      604dcfae9eed4f65c80a4a39454db409291e08fa

    • SHA256

      0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

    • SHA512

      c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

    • SSDEEP

      12288:XOANXryu1S69QwWBIlVi4o858nFBKgmvtOwUATgDQ3:eANOCS6qwWB0V5o8mnqvtrdgDQ3

    Score
    10/10
    darkcometevasionpersistencerattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    behavioral3behavioral4

    • Target

      RAT/CobaltStrike.doc

    • Size

      86KB

    • MD5

      96ff9d4cac8d3a8e73c33fc6bf72f198

    • SHA1

      17d7edf6e496dec4695d686e7d0e422081cd5cbe

    • SHA256

      96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

    • SHA512

      23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

    • SSDEEP

      1536:lDZnLvdWcSVUj473eXfb6K3ABfSlH+ArfocK4XEorNColhVDo8NYzyReCxRVZs+x:vDAzVY4zSfb6mABfSleqocKg7Bo8NiCR

    Score
    10/10
    metasploitbackdoortrojan

    • MetaSploit

      Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

      trojanbackdoormetasploit

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    behavioral5behavioral6

    • Target

      RAT/CrimsonRAT.exe

    • Size

      84KB

    • MD5

      b6e148ee1a2a3b460dd2a0adbf1dd39c

    • SHA1

      ec0efbe8fd2fa5300164e9e4eded0d40da549c60

    • SHA256

      dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

    • SHA512

      4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

    • SSDEEP

      1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

    Score
    10/10
    crimsonratrat

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral7behavioral8

    • Target

      RAT/NJRat.exe

    • Size

      31KB

    • MD5

      29a37b6532a7acefa7580b826f23f6dd

    • SHA1

      a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

    • SHA256

      7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

    • SHA512

      a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

    • SSDEEP

      768:64+64ZRzo+zxJ+lS7gqzZ5XvzpQmIDUu0ti69j:xM3/Bh1QVkvj

    Score
    10/10
    njratevasionpersistencetrojan

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Modifies Windows Firewall

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral10behavioral9

    • Target

      RAT/NetWire.doc

    • Size

      7.3MB

    • MD5

      6b23cce75ff84aaa6216e90b6ce6a5f3

    • SHA1

      e6cc0ef23044de9b1f96b67699c55232aea67f7d

    • SHA256

      9105005851fbf7a7d757109cf697237c0766e6948c7d88089ac6cf25fe1e9b15

    • SHA512

      4d0705644ade8e8a215cc3190717850d88f4d532ac875e504cb59b7e5c6dd3ffae69ea946e2208e2286e2f7168709850b7b6e3b6d0572de40cfe442d96bba125

    • SSDEEP

      49152:GI3M51kvB7YHve+tPHAUpS60t4+6mEuKsXtz5LlqCO4n44m4uXkyNR4Ss3NZx:GuMPkvdYbgUpShGmZfXZZ1O7NRzG

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    behavioral11behavioral12

    • Target

      RAT/NetWire.exe

    • Size

      1.2MB

    • MD5

      7621f79a7f66c25ad6c636d5248abeb9

    • SHA1

      98304e41f82c3aee82213a286abdee9abf79bcce

    • SHA256

      086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

    • SHA512

      59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

    • SSDEEP

      24576:nBlDgE7EmXWAqSvg439vGSVNe1/hqIiHSvd7:n7DlC+GSjiBiyF

    Score
    10/10
    modiloadernetwirebotnetpersistenceratstealertrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • ModiLoader First Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral13behavioral14

    • Target

      RAT/Remcos.exe

    • Size

      92KB

    • MD5

      fb598b93c04baafe98683dc210e779c9

    • SHA1

      c7ccd43a721a508b807c9bf6d774344df58e752f

    • SHA256

      c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

    • SHA512

      1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

    • SSDEEP

      1536:AhhW0YTGZWdVseJxaM9kraLdV2QkQ1TbPX8IHOCkIsI4ESHNTh9E+JP19qkP6brM:GhzYTGWVvJ8f2v1TbPzuMsIFSHNThy+7

    Score
    10/10
    remcoshostevasionpersistencerattrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • UAC bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral15behavioral16

    • Target

      RAT/RevengeRAT.exe

    • Size

      4.0MB

    • MD5

      1d9045870dbd31e2e399a4e8ecd9302f

    • SHA1

      7857c1ebfd1b37756d106027ed03121d8e7887cf

    • SHA256

      9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

    • SHA512

      9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

    • SSDEEP

      1536:SGZiTHzreu+4SHYEJicHHkxcPiwlJ6BjQaJ7ehgQpmnp3bDBq+AD3tSYxV:Z8AHxicHEuP5l/aJ7ehgiYDk9SYz

    Score
    10/10
    revengeratguestpersistencestealertrojan

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

      trojanrevengerat

    • RevengeRat Executable

      stealer

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral17behavioral18

    • Target

      RAT/VanToM-Rat.bat

    • Size

      183KB

    • MD5

      3d4e3f149f3d0cdfe76bf8b235742c97

    • SHA1

      0e0e34b5fd8c15547ca98027e49b1dcf37146d95

    • SHA256

      b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

    • SHA512

      8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

    • SSDEEP

      3072:UurlxKcmWTTt7Zde2vBVQF4EWjFRA229YvepcCBKXnpU:vrlOWFddeAVQF4EWx92iepcCBK3

    Score
    7/10
    persistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral19behavioral20

    • Target

      RAT/WarzoneRAT.exe

    • Size

      321KB

    • MD5

      600e0dbaefc03f7bf50abb0def3fb465

    • SHA1

      1b5f0ac48e06edc4ed8243be61d71077f770f2b4

    • SHA256

      61e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2

    • SHA512

      151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9

    • SSDEEP

      6144:62GhN2db088fTdUuNU0we+HPps1zcJLVPzGKfwQ7PHC3NJTyhtPB1m:62iNG088fTWsU0wJBsGJPf4Q7PHC3NJ8

    Score
    10/10
    warzoneratinfostealerratrezer0

    • WarzoneRat, AveMaria

      WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

      ratinfostealerwarzonerat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Warzone RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral21behavioral22

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

File and Directory Permissions Modification

1
T1222

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

2
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Scripting

1
T1064

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks

static1

geforcemacromacro_on_actionhoststealerguestdarkcometnjratmodiloaderremcosrevengerat
Score
10/10

behavioral1

Score
1/10

behavioral2

njratremcosdiscoveryrattrojan
Score
10/10

behavioral3

darkcometevasionpersistencerattrojan
Score
10/10

behavioral4

darkcometevasionpersistencerattrojan
Score
10/10

behavioral5

metasploitbackdoortrojan
Score
10/10

behavioral6

metasploitbackdoortrojan
Score
10/10

behavioral7

crimsonratrat
Score
10/10

behavioral8

crimsonratrat
Score
10/10

behavioral9

njratevasionpersistencetrojan
Score
10/10

behavioral10

njratevasionpersistencetrojan
Score
10/10

behavioral11

Score
10/10

behavioral12

Score
7/10

behavioral13

modiloadernetwirebotnetpersistenceratstealertrojan
Score
10/10

behavioral14

modiloadernetwirebotnetpersistenceratstealertrojan
Score
10/10

behavioral15

remcoshostevasionpersistencerattrojan
Score
10/10

behavioral16

remcoshostevasionpersistencerattrojan
Score
10/10

behavioral17

revengeratguestpersistencestealertrojan
Score
10/10

behavioral18

revengeratguestpersistencestealertrojan
Score
10/10

behavioral19

persistencespywarestealer
Score
7/10

behavioral20

persistencespywarestealer
Score
7/10

behavioral21

warzoneratinfostealerratrezer0
Score
10/10

behavioral22

warzoneratinfostealerratrezer0
Score
10/10