General

  • Target

    IMG_MiaaKhaliffaa.zip

  • Size

    1.3MB

  • Sample

    240313-xkqfksda2z

  • MD5

    2e604d072df8ef7087e3bbfaa2a8b267

  • SHA1

    97908c1245e6cafc32665d775622ee5bb118a225

  • SHA256

    31a3488b571c2e5fe1927533dd2db64bb39737fd30fae3133274830d3a46bcb5

  • SHA512

    a36e460f0e60b22cdc943c773d4e851dddf59757f42a77ac5a6763a96c5711cb64817a89f2393b0d712bed6f150f5b0e5de5d29057fc99f2cc743dc0e7c41f47

  • SSDEEP

    24576:jCmoJtQbux7G1oqb6SppkRbc8iw0rFNv89j5NcHacAZ9mLC/Q:nEtQqxqdppqRiw0Rm9jrcHar9me/Q

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

PAYPAL

C2

141.95.84.40:4432

Mutex

c1313v13324

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

remcos

Botnet

FRANAGUSLUCHO

C2

141.95.84.40:9991

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-6YK7Z5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      '

    • Size

      1.3MB

    • MD5

      404d59c0647de843b9a4ed4ebcbc722e

    • SHA1

      f763ae79a50f8c87d0dace8496222f71ee2ecc88

    • SHA256

      529302808b264932d6b154f2b9ad513760c1381666068815d951a93607bd3023

    • SHA512

      e9e8ae328007564c470f145884f5eb77e5403ff8e5ae8fb1f3bad9993d1101ea3fddf2ccd802dade28dbb5a06625c429bdc88a90871a06f0ef623cd1243f282c

    • SSDEEP

      24576:4IOBuXvG1oqgrMLQRapGepGrHQZFuAz320w0VD0kRw6IFinc:4IOwXuwiEoGjQZFuAz33w0uric

    Score
    3/10
    • Target

      winrm.vbs

    • Size

      326KB

    • MD5

      843d3a4a6784696065ecf33225c23f1c

    • SHA1

      cb5c9317c63fda80da0df5f179635f400db74d4f

    • SHA256

      168820068666c7236a2e1865531cfbf548d797affbd66839285ef1a853e36e1c

    • SHA512

      fbaf49977fc249b8457becd818fe8d257a062535eb5b168294de87e8f22740ee31c49f99f14234aed8f8e7577ac3542a70b8186b28dd9e00d9fc79c9ca7030a6

    • SSDEEP

      6144:/+Dm82dSi0ukP91lF1UflGsZcfAkYrG12XMYUcMk3:mDmCklacMy

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Registers COM server for autorun

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks