General

  • Target

    April-29-receipt.zip

  • Size

    205KB

  • Sample

    240430-phvcraca4v

  • MD5

    edc8c1b6536f29c0b7da2254dc7b2815

  • SHA1

    52e236ee861a43f15ce08489b1dbd288fdfd78e4

  • SHA256

    a25581c800a7705e573bc684b7b364632a63962e2fa6d214cfa1bdd2e9d38cb1

  • SHA512

    25905a4310ef0e4dd2e437b961a1fc0f1b5810e6a02384b3f3c453b70f7525bc1e3fb8b6b258556fc92887623ae38b5a816a96507fd2ef5353a64c4be2e1d442

  • SSDEEP

    48:4VttKFlchhAlqp1lFaTt+LPfKUPcE77VZlO0uTN0Nx8L1oM1Nci/ZtdlMEjEoayo:aAklFisLPnpvVZlOfNs8RNciBvng

Malware Config

Extracted

Family

xworm

Version

3.1

C2

aprilxrwonew8450.duckdns.org:8450

Mutex

0VZWHbNr1OapRPc5

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

C2

remco8100.duckdns.org:8100

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-G51VNO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      April-29-receipt.JS

    • Size

      200.0MB

    • MD5

      5012f7c0a6af87c3b2993a24523586e3

    • SHA1

      2f690f63035e996976430de0d2b2cbe4d2c55f06

    • SHA256

      af57907b53533c7fb34e162201fa674ceb3a99223a819cb54fa14dd92cb90db8

    • SHA512

      0c89f1f259a6e8ff4deabb4b11074370c6cd9398a19ef1c26e73f718fa1dfe8aec32e10b357cc3c293d9906194edbf70b5fee2f468c805392bcde4f76b047097

    • SSDEEP

      96:A4iG6S+xh/kVzTTzvTssSFHG+JTCsMQCLb3i4Y4i444o1maJNLG6S+c2hxOm/3:ND6Ssh/psmH3JjY0Y6Sh2hxO

    • Detect Xworm Payload

    • Detect ZGRat V1

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Xworm

      Xworm is a remote access trojan written in C#.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks