General
-
Target
infected2024071401.zip
-
Size
54.3MB
-
Sample
240714-krt15awemf
-
MD5
c0d08dfc184fecc0836a0810f52d3e79
-
SHA1
beb3320f6251753a7f4b8657e8566b7ee6c79627
-
SHA256
004c59e17178ebbc86da08ea93eb39064a86f5d1be7c18d330c15f80dde8504b
-
SHA512
da8ad599d16144d4584a506c699535bd5612668b3a3fce6e510ab9793ad4c5aff1d72031b313cc41a3dd51e82525e20802fdbac3e3b4532d351f472c9dacb94c
-
SSDEEP
1572864:qYAaD7qWBjRALvO9aoSquWqH99eiomhvWAB7LrKTC:qpaHqW1RqvqF/uWqdno8F5
Malware Config
Extracted
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
9b0P96R6nBreNQrU3Cte
Extracted
remcos
4.9.3 Light
RemoteHost
127.0.0.1:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-52SPIJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
http://thelustfactory.com/vns/1.ps1
Extracted
http://thelustfactory.com/vns/2.ps1
Extracted
http://thelustfactory.com/vns/winrar.exe
Extracted
asyncrat
Venom RAT + HVNC + Stealer + Grabber v6.0.3
Default
54.153.17.157:14445
rpujporiumcisxsdyop
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
smokeloader
pub1
Extracted
remcos
RemoteHost
23.254.224.59:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
-6LCEJ4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
1.0.7
Default
2.56.245.243:7777
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
Downloads/1PDF.FaturaDetay_202407.exe
-
Size
323KB
-
MD5
d8bf792f818877bf4848fde9511caeb8
-
SHA1
a8aea1abb7cf1ddb275584bb5746c97790342e80
-
SHA256
f5d96127b34730cf3bbbccd1c35098873fc0af897cc5d6dc3dd39a8e64c511d7
-
SHA512
28292c32d518cecb66ef0a41f583022b6c125ae758fb013dd51896c25625cc23da2a8604d794e2198939f994d15bec09d9b67003bc5bd734d27b15b167e1ebe4
-
SSDEEP
6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLtsorUC7ggXpTILMYSQpIIQENMshQt:kANwRo+mv8QD4+0V161tTNjkIIFN5c
Score10/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
-
-
Target
Downloads/3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe
-
Size
1.9MB
-
MD5
0475d0b51b30bf28599601243c9a9aae
-
SHA1
7adf31fb8aaa01d94531f9e058e33877e0141ccf
-
SHA256
3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e
-
SHA512
92167276fc1688239f252a7101c2082ce6cd1f65f30de3b9b33a22d2fcd58a542faecf308d67c719756b4b504247c1588d159120439d1d2ef1a47612575192d6
-
SSDEEP
24576:7DseOujx71gWufN62I520/hjlB6iTzKFjiZpWFsZrKp0HqGmyejFykKu9XusD4eq:7DjxSNudSOZpW+wG8nXv0eq
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/4c40337094cf0bb86fad86d2ea724ac6e6a499f0acd877839a69d35c354a7792.exe
-
Size
2.2MB
-
MD5
05b8f1d7c18fe35533949d3b3ae5c726
-
SHA1
581171a5941b4231548331b16b2342b50616dd23
-
SHA256
4c40337094cf0bb86fad86d2ea724ac6e6a499f0acd877839a69d35c354a7792
-
SHA512
f0effe37b6097d286ba67f44da82847a56c0b933166bb4904cc75db074ad11152bd06b80733c927e55ddac84a335ff764ac8cf3d5eccdd11079f2e0162476ea5
-
SSDEEP
49152:ob33xSNudSRZpWod7tOvJOHdi1PXdFs0KinlZ4PCLRn:ooRRt6udqr
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/644d928a4a942f6ae4c90640103b595941f7a0b557ba49d122d137b1429c0325.exe
-
Size
2.0MB
-
MD5
771eade8ae168734077830344b852624
-
SHA1
5ac6b79a426a3229adef67508b751815af689f86
-
SHA256
644d928a4a942f6ae4c90640103b595941f7a0b557ba49d122d137b1429c0325
-
SHA512
ec70c99c9c0f608abd25ad614488c5a8adf7170aa29a4204efa5e7d03c0a50a55fdabbbf5758a4a24f9542fd264e98c05b28e99082e5775ca4b3d13614eef3b6
-
SSDEEP
24576:N2bLgxjx71gWufN62I520/hjlB6iTzKFMiZpWht5YY7tOvkIOTpNsVOt1a42oU+D:NYQxSNudS5ZpWNd7tOvJONNdMboMToL
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/64ec6562b96016699c6ae14166f4d31bde2b160eaa84d34a661fc2943017202e.exe
-
Size
1.9MB
-
MD5
2c9b6dd3a6026fa2c7db268eaea331df
-
SHA1
fb4c9fe50dfc133895929a96f1f43047a4ced8dd
-
SHA256
64ec6562b96016699c6ae14166f4d31bde2b160eaa84d34a661fc2943017202e
-
SHA512
899728690f636ab34e440eb1add2abd16dc3e286fd51608b2d41531ca8c00d79925e8565622185bd35e8cdc0d0c6a1a5c001c4faeba2c36e593f96cde7128856
-
SSDEEP
24576:ZDgcvIjx71gWufN62I520/hjlB6iTzKFjiZpWOsZrKp0HqGmyejFyogd23TZdG35:ZDFExSNudSOZpWfwG8Xd3Vkk
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/7a0395c75ac633d66a7a9f2690cbdb9c90ac5b0fc4f9273b6e0cf16f70eedd8e.exe
-
Size
2.0MB
-
MD5
1e96a6d78465dceadfaedf2c8200a6de
-
SHA1
8f4569d6233bb9ba161a68527ee9b8e8c04a63bb
-
SHA256
7a0395c75ac633d66a7a9f2690cbdb9c90ac5b0fc4f9273b6e0cf16f70eedd8e
-
SHA512
7a920008616f6b2a2c7abfd272b2e22c471dd68b5d9d6c8bcbb521bb26173d8e06fc0b291964205cdc9347dd6a946fcd2239a8d0ca67bd1adaa0eaeae1722127
-
SSDEEP
49152:j1YhxSNudS5ZpW5d7tOvJOpE8BIMXxl4IPTRUN33eFvlux4NuAIBq6As/qZrUFju:BYm5Et6OEVS
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe
-
Size
2.2MB
-
MD5
6c155f7b7d10fffc7a31ce4eb5d3a1f8
-
SHA1
f3483275258b30ab963e672656fd9aaebe814877
-
SHA256
901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4
-
SHA512
5a1a94c2b63a683a5281b05b998b5b35a215bab2cc47c74f332783a78a5de107f8bb15ca3c006e1672f4ab4918376f09769fa028a172b68a6ded814e4be0ed65
-
SSDEEP
49152:qb33xSNudSRZpWXd7tOvJOodL1PXdFs0Ki3lZ4/yARne:qoR2t6ld1Ln
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/938b7e042bda75e416261e46d0d4873781fd5d53c2ce6c2748b92eeb8a826598.exe
-
Size
1.9MB
-
MD5
c318036044f10d288cedac36d81a611b
-
SHA1
442245535cd0c4876f784a28fdbf6a32bb70e220
-
SHA256
938b7e042bda75e416261e46d0d4873781fd5d53c2ce6c2748b92eeb8a826598
-
SHA512
6043678915f0893b3fbca5633dc1effe2e27d0f25eb1da413b14b93aa4204334b8792fee3e67bbfc905cc0130748afbec6fc6aaf834fe7c168a430bd06d769da
-
SSDEEP
24576:MDXpgvsPjx71gWufN62I520/hjlB6iTzKF+iZpWWt5YY7tOvkIOTUQvb7Mhh21:MDevYxSNudSrZpWKd7tOvJOpb7K81
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/96d1bc7dec91a7a4e5fe653853a504e07d17e898fa437cf75e929fa909dd6bb7.exe
-
Size
1.9MB
-
MD5
793083dde2eea5178604a08fb09da307
-
SHA1
95934b5ce27e6e6460e0eb4d6f6d43f5ee152fde
-
SHA256
96d1bc7dec91a7a4e5fe653853a504e07d17e898fa437cf75e929fa909dd6bb7
-
SHA512
94cf4786a639eca98bfaf553349afae0bd68a905fe73b423399ed3a728aa572baabb08040ca778fc4bb24ce26d3deaf1cb6649e1a674570b0dfb98b205049b5c
-
SSDEEP
49152:b3BxSNudSRZpWid7tOvJOu1LhCvV1iSvz6qHtBnP8x1NABnNm6z+EknpBASLKbiu:aRrt62T
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/Built.exe
-
Size
33.3MB
-
MD5
bf496771139b8b76ab7e2e3813ce78a3
-
SHA1
949686fc9af5710904902044e92b0397b337d814
-
SHA256
92118eac9bf1f5e9cf45e2773f74163202f609125e8f0aa0a077446e6f1cd4d1
-
SHA512
ce9ab86130380ffc378ae3cd14c67c94f6034631821392aba9c8946eec07591311e7942b45cfe2dacfcae6cfe73495937be9b81790ea66824c3212fcb9cd3bc2
-
SSDEEP
786432:8Nz4CWGpXkqva096PzXf4mWy1DlIF1qqHdbrtTqslFEO:IkCWGJ446rPu/FQqjqwFd
Score8/10-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Adds Run key to start application
-
Blocklisted process makes network request
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
Downloads/DHL_PT563857935689275783656385FV-GDS3535353.bat
-
Size
6KB
-
MD5
60186cd9a2e82835bc143c1fb4662b7e
-
SHA1
880c7f14743f9759b30bcc28085949122f54c20e
-
SHA256
b66081b0e5dfe21e03d1043700d7c05e65bda96ad33a6370c374217d5ae84405
-
SHA512
98ca66c502178601cf1d568fb4b5ef122564f548eae2c82c9979207ea69398212f2b35571f3cc0696ec9edb70174a016c00ddd12fc26140d63196188e6f0f8b7
-
SSDEEP
192:jOJVeUYLAKLt+IS0y+80TJco4Ga5y0p8te:QeAKZZS280FL3aw0aE
Score10/10-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
Downloads/DTLite.exe
-
Size
2.1MB
-
MD5
684de18cccab7719057cd4bbfbee16c3
-
SHA1
a7b956a4aca4624fb466a932d49fb3268a42b7e2
-
SHA256
fb26dcd89930afef0012125087704a3564d8ef0a37c3c6c021b42071ad273ceb
-
SHA512
a06aefaf05f3011daeb65a34a773e920b868078c3c104982546a6d5a75c3da11cf9988adb1d595264d8d3cf78f340bae2d8242ca3e6090d72e2fce747c7176cb
-
SSDEEP
49152:/1YhxSNudS5ZpWBd7tOvJOUUFBIMXxl4IPTRUN33eFvlux4NuAIBq6As/qZrUFjk:dYm54t6rUOSW
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/PDF.FaturaDetay_202407.exe
-
Size
322KB
-
MD5
3a2ba5be087162cfdb5d49ac32edd534
-
SHA1
879043e2954c4cf7f461c1381ae2a943d71bbaef
-
SHA256
7a285458817660143004002c76b1e1457666b1659dfbd35863541f62630430d0
-
SHA512
ba8dba7d1cd39b00cf6ee894809b1c09a3f72484d6dafb4ff2b2663d29247baf0565dfc3e4f0bcccb78138ffca59e9c56579485244d00f5b1bc69cfedb1c024a
-
SSDEEP
6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLGx1d0RjzV5Pnz63LLHBNy:kANwRo+mv8QD4+0V16xblLPkLLhNy
Score10/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
-
-
Target
Downloads/PDF.exe
-
Size
258KB
-
MD5
34c2047d0b69ba023b700c21431accc0
-
SHA1
e34c28611707c81565cb73d8a1a46dfc3ab2495a
-
SHA256
ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799
-
SHA512
a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7
-
SSDEEP
6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
Downloads/SIP.03746.XSLSX.exe
-
Size
321KB
-
MD5
a3e681364daaa68ce0177581573f483f
-
SHA1
eefb4725622f42019e475aa26439c0cf60dc7cc2
-
SHA256
a94869345f7f1f3a1bc6cca4aa94cc7bde30dcb0bb18198567ea58cc93ba2c15
-
SHA512
a071ae229d39674e53cf0051bde78b792041064a90580ab4ef51c4bec8dd4e7cc19934a3249e45df20cf3bc1aa76b28ba04f954eda9767acd2aa2092c606949b
-
SSDEEP
6144:RZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6oHGx1d0RjzV5Pnz63LLHBN+:PANwRo+mv8QD4+0V16oHblLPkLLhN+
Score10/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
-
-
Target
Downloads/a33245a27c02bbb72bf66f6bf1c960affefa8ed2a096dc1d6faa6699fe81c48a.exe
-
Size
1.9MB
-
MD5
2121a055e132df9c2b62d3ad578faa85
-
SHA1
60439cb5d41f2256eb54bbd1d84d8d04d78272ef
-
SHA256
a33245a27c02bbb72bf66f6bf1c960affefa8ed2a096dc1d6faa6699fe81c48a
-
SHA512
55039a343efd737a7488193f777ca0a44dc465f098e51241d8a0699478d72dda9f5eb8bb204e96cc81da14191475e1ff87132680ac4b5956cb1b85d06a4a6c71
-
SSDEEP
24576:kDLnN/pjx71gWufN62I520/hjlB6iTzKF+iZpWSsZrKp0HqGmyejFyzXYVN4on59:kDLn7xSNudSrZpWLwG8bvn59
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/arwbjuh.exe
-
Size
294KB
-
MD5
2b292145e4ec28e8bd8b22c1353543d1
-
SHA1
d9b9d23b2c320efcaf54ddcba8b42540f3934aa0
-
SHA256
60bda530b226d63299968670e256a9a2896ab69076e16792436e92f95bc0d0e0
-
SHA512
2b0cd9732b39fb99b37a0a67c091083e31989c9e41a2c9be6da8f3d10382d65d27a79968dc9c9abc55bf659d47898d17f9f4a6873a0046612ca76733cd50ca58
-
SSDEEP
3072:Dq3vlb4qEAkDhZdrTbLC9VZBjnNgRM6Fh:DybjEXFZd3C9VZ7eF
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
Downloads/bjutbht.exe
-
Size
294KB
-
MD5
9442e7f51753f9ef3604a13e459334aa
-
SHA1
b8ecc6920c4fca9725fbc78d6684359c88b8224a
-
SHA256
7e0623dbd4975ddc7790c45c9407527c048cb04727ddf757e70f7d5b702703fd
-
SHA512
5af0b0653245ebc1a1aac4cca90d2bb53b48bea25a8f104cbd3e410f1374ef86a578fc56b3c7d42fc9bb0a5b22db97b007805da72528c89dca575c8196361cce
-
SSDEEP
3072:lCHi6zfNNcKW0PNXiWIztAq/czUZrHFdOIMRsSHHi:lezVlPxbKpEqiHH
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
Downloads/black.bat
-
Size
7KB
-
MD5
1527117f206e85215dc0b306ff303997
-
SHA1
058297bbc06690c0fc1614a27dccab912acbfd01
-
SHA256
8ea56b9b4f79485aedb615161ba64c55950a6970f21dc0f2a7691dd66de91cd2
-
SHA512
490de266e4516bee0cc6075ec693cbe53c629a1f9740df94951b780745ea67b452b96b6d4e413d9a144e2f853da4cbd0bfab86638440daf8cc7ac9a1269c4e4f
-
SSDEEP
192:9y/GNQigY2Nw9GKNCufevytXrrLe57YKRZ280QDdc28eNMqMzDWZ:9EGNrJzsKUufKytXr2OKH0Mi28eNMqM2
Score8/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
-
-
Target
Downloads/borlndmm.dll
-
Size
2.8MB
-
MD5
eb6fad4894d0b420b92c00acda8122ae
-
SHA1
8be6dfa8e216d2f7b68f2ab05e63a78fa51374f6
-
SHA256
18a26f67712f75a9251e8350089fc83d55c33f2fa82c46e5f67f1d6dc5716a4a
-
SHA512
4cbaad723076f539788acca418dcc9234d0c9d2978978a855cd670a6ad2300ebe4bb28c35fc048494df30c9d76bead5b6aae1b26168e6e0b230d34ac8797202e
-
SSDEEP
49152:1MkOevf30HlhHRPErtXFqVn1P2Rt8fUaRMXA3IloTf7OFk/41NjwT7x7uFh1hz:kY1Un1P2Rt8fUaRMXkuwB7uF5z
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
-
-
Target
Downloads/ccleaner.exe
-
Size
1.9MB
-
MD5
a7e44b01b9f23031067e9032196cc0ba
-
SHA1
c8c763e9cc7a1eeb724a1c54f92f29e2f5382ce4
-
SHA256
ba5067481b31085ae5222f912097d54125dcc97c6551396f11974ae4bec2bd98
-
SHA512
caa6feb23c2bcdcfd8affafddcf71bd03fbe44a8fa7d197e6643a3609026f1821451f998b3a9c47649c99a0271cbf481e3e47375dd91b562005091ef3706f53f
-
SSDEEP
24576:RDXpgvsPjx71gWufN62I520/hjlB6iTzKF+iZpWdt5YY7tOvkIOTbNvb7Jhh2:RDevYxSNudSrZpWxd7tOvJOtb7v8
Score1/10 -
-
-
Target
Downloads/d87e2dcd2eb9763552645a34218696143fa99ac7b5173dcd04889ce9f5ddf96d.exe
-
Size
2.2MB
-
MD5
b1fb38b2b6032ca248f163aaa5cf8ae6
-
SHA1
f6dac083cd4762a832371eddcbb94362a31c58b0
-
SHA256
d87e2dcd2eb9763552645a34218696143fa99ac7b5173dcd04889ce9f5ddf96d
-
SHA512
613e75f96c2bc5d591de36e374313b9ad444fc62126b056d2d62f402dd0182fadba78e04d4602c3dd34445629a3d9f7e1f46d15ab61992c73f1e4371700337a3
-
SSDEEP
49152:sxSNudSnZpWDd7tOvJOodL1PXdFs0Ki3lZ4q:rn6t6ld1z
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Downloads/dwvhgtd.exe
-
Size
294KB
-
MD5
846954f6bb92d6152358220de974eadb
-
SHA1
2c48027755783d35b163a43b62ffafba8345155d
-
SHA256
aac7b251e062ab7269ce69a144a2587b21c054bb166464e23b0cbf9d37d13f59
-
SHA512
a6fc58543c6f6ad62ea73d60790b58ab758e8be2e7300a844f5032e991b8cd9472105eec9ff88035dff7f176f1f838776ed256db618087b6da70e1c332fd56c7
-
SSDEEP
3072:Vq3vlbw7VtyD3Y8xgpLJuMg9h4XE7mbggyF3cE1VEzLSnhl6AJ:VybGnS6LJuwfgZME1ESniA
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
Downloads/file.exe
-
Size
294KB
-
MD5
9442e7f51753f9ef3604a13e459334aa
-
SHA1
b8ecc6920c4fca9725fbc78d6684359c88b8224a
-
SHA256
7e0623dbd4975ddc7790c45c9407527c048cb04727ddf757e70f7d5b702703fd
-
SHA512
5af0b0653245ebc1a1aac4cca90d2bb53b48bea25a8f104cbd3e410f1374ef86a578fc56b3c7d42fc9bb0a5b22db97b007805da72528c89dca575c8196361cce
-
SSDEEP
3072:lCHi6zfNNcKW0PNXiWIztAq/czUZrHFdOIMRsSHHi:lezVlPxbKpEqiHH
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
Downloads/helper.bat
-
Size
27KB
-
MD5
8d987e2f2fef6f2bd726d392bac46c55
-
SHA1
64ab8a696b52189d5fd809da924d1dc36e07d7c3
-
SHA256
10e4a6b54cc0cf4d18dde8b69e0b305abe487e07ed990c5bff82ce30b217b910
-
SHA512
a8c48da620cfc0b4ea55efba87a98625e4b1eaf4553006a259fc5915836afcdee413180d1dcfc40ab8830741257f5ab723d4536788b0d751a6ba8a28cbfcdf45
-
SSDEEP
768:AZWM6xwaPdP30trmRblevg8heVbaEUdLQdy6VTRZE3mn:ZM6xzR30ZmRb4YI2TILQdy6VTRL
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
-
-
Target
Downloads/setup.exe
-
Size
5.0MB
-
MD5
d6dd2275a92bd37adb3a886255a431ef
-
SHA1
a28933f79041f29a681cfb444fc7b8d63435c510
-
SHA256
e51f3f998cd7c0783deb68c18c39b6ccf77f5dca0b611ddd23dcf09845ab8b31
-
SHA512
1c303bf3dfc8ba54d02096615cdbf34752a312c2478f16c3fc38a8e75b2ab0619fb46e434b2b96aa89114873c3659db91fb9e0308fe47d91d0b9124e48814ded
-
SSDEEP
98304:Cf6hoGwhlxoORmkoq6LoTxHVo81F728I/e6KMMj9BZCloOhyNnh+IDQxb:avpeAZILoTFT1s8n9TfhdDQB
Score10/10-
Detect Socks5Systemz Payload
-
Socks5Systemz
Socks5Systemz is a botnet written in C++.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
2Hidden Window
1Modify Registry
3