General
-
Target
infected2024071401.zip
-
Size
54.3MB
-
Sample
240717-ywvp4swhjk
-
MD5
1deae7b244bd725828d39c59ccb36f5b
-
SHA1
af1298cefef18ddae3bc472b61828d4b8ee30594
-
SHA256
c56c00ca3f42026f17affef76b3752f268d1498f862b3143985ca7c1d33feb39
-
SHA512
15d37132af78f43b79da983fdd7db5a6716d9eded87568e1c1a24a8241f5e4e0f7de22b6c72a0640dd027ddc50f2f24fdb0ec5b8a2ed606588e2ce80aa873bbe
-
SSDEEP
1572864:ZCPcetzLnPM24Z4Ienxa/x4AW+kTpM/vpnT:M3LnPHxACSkTpqvpnT
Malware Config
Extracted
remcos
4.9.3 Light
RemoteHost
127.0.0.1:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-52SPIJ
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
http://thelustfactory.com/vns/1.ps1
Extracted
http://thelustfactory.com/vns/2.ps1
Extracted
http://thelustfactory.com/vns/winrar.exe
Extracted
smokeloader
pub1
Extracted
remcos
RemoteHost
23.254.224.59:2404
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
-6LCEJ4
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
asyncrat
1.0.7
Default
2.56.245.243:7777
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
1PDF.FaturaDetay_202407.exe
-
Size
323KB
-
MD5
d8bf792f818877bf4848fde9511caeb8
-
SHA1
a8aea1abb7cf1ddb275584bb5746c97790342e80
-
SHA256
f5d96127b34730cf3bbbccd1c35098873fc0af897cc5d6dc3dd39a8e64c511d7
-
SHA512
28292c32d518cecb66ef0a41f583022b6c125ae758fb013dd51896c25625cc23da2a8604d794e2198939f994d15bec09d9b67003bc5bd734d27b15b167e1ebe4
-
SSDEEP
6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLtsorUC7ggXpTILMYSQpIIQENMshQt:kANwRo+mv8QD4+0V161tTNjkIIFN5c
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
-
-
Target
3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e.exe
-
Size
1.9MB
-
MD5
0475d0b51b30bf28599601243c9a9aae
-
SHA1
7adf31fb8aaa01d94531f9e058e33877e0141ccf
-
SHA256
3e6642f7100bb72137d68b5aa34a2d1f1a75722ab7d2b15987bbdeb84bc3265e
-
SHA512
92167276fc1688239f252a7101c2082ce6cd1f65f30de3b9b33a22d2fcd58a542faecf308d67c719756b4b504247c1588d159120439d1d2ef1a47612575192d6
-
SSDEEP
24576:7DseOujx71gWufN62I520/hjlB6iTzKFjiZpWFsZrKp0HqGmyejFykKu9XusD4eq:7DjxSNudSOZpW+wG8nXv0eq
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
4c40337094cf0bb86fad86d2ea724ac6e6a499f0acd877839a69d35c354a7792.exe
-
Size
2.2MB
-
MD5
05b8f1d7c18fe35533949d3b3ae5c726
-
SHA1
581171a5941b4231548331b16b2342b50616dd23
-
SHA256
4c40337094cf0bb86fad86d2ea724ac6e6a499f0acd877839a69d35c354a7792
-
SHA512
f0effe37b6097d286ba67f44da82847a56c0b933166bb4904cc75db074ad11152bd06b80733c927e55ddac84a335ff764ac8cf3d5eccdd11079f2e0162476ea5
-
SSDEEP
49152:ob33xSNudSRZpWod7tOvJOHdi1PXdFs0KinlZ4PCLRn:ooRRt6udqr
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
644d928a4a942f6ae4c90640103b595941f7a0b557ba49d122d137b1429c0325.exe
-
Size
2.0MB
-
MD5
771eade8ae168734077830344b852624
-
SHA1
5ac6b79a426a3229adef67508b751815af689f86
-
SHA256
644d928a4a942f6ae4c90640103b595941f7a0b557ba49d122d137b1429c0325
-
SHA512
ec70c99c9c0f608abd25ad614488c5a8adf7170aa29a4204efa5e7d03c0a50a55fdabbbf5758a4a24f9542fd264e98c05b28e99082e5775ca4b3d13614eef3b6
-
SSDEEP
24576:N2bLgxjx71gWufN62I520/hjlB6iTzKFMiZpWht5YY7tOvkIOTpNsVOt1a42oU+D:NYQxSNudS5ZpWNd7tOvJONNdMboMToL
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
64ec6562b96016699c6ae14166f4d31bde2b160eaa84d34a661fc2943017202e.exe
-
Size
1.9MB
-
MD5
2c9b6dd3a6026fa2c7db268eaea331df
-
SHA1
fb4c9fe50dfc133895929a96f1f43047a4ced8dd
-
SHA256
64ec6562b96016699c6ae14166f4d31bde2b160eaa84d34a661fc2943017202e
-
SHA512
899728690f636ab34e440eb1add2abd16dc3e286fd51608b2d41531ca8c00d79925e8565622185bd35e8cdc0d0c6a1a5c001c4faeba2c36e593f96cde7128856
-
SSDEEP
24576:ZDgcvIjx71gWufN62I520/hjlB6iTzKFjiZpWOsZrKp0HqGmyejFyogd23TZdG35:ZDFExSNudSOZpWfwG8Xd3Vkk
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
7a0395c75ac633d66a7a9f2690cbdb9c90ac5b0fc4f9273b6e0cf16f70eedd8e.exe
-
Size
2.0MB
-
MD5
1e96a6d78465dceadfaedf2c8200a6de
-
SHA1
8f4569d6233bb9ba161a68527ee9b8e8c04a63bb
-
SHA256
7a0395c75ac633d66a7a9f2690cbdb9c90ac5b0fc4f9273b6e0cf16f70eedd8e
-
SHA512
7a920008616f6b2a2c7abfd272b2e22c471dd68b5d9d6c8bcbb521bb26173d8e06fc0b291964205cdc9347dd6a946fcd2239a8d0ca67bd1adaa0eaeae1722127
-
SSDEEP
49152:j1YhxSNudS5ZpW5d7tOvJOpE8BIMXxl4IPTRUN33eFvlux4NuAIBq6As/qZrUFju:BYm5Et6OEVS
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4.exe
-
Size
2.2MB
-
MD5
6c155f7b7d10fffc7a31ce4eb5d3a1f8
-
SHA1
f3483275258b30ab963e672656fd9aaebe814877
-
SHA256
901478668c0d5ecb3b5044dcb3e1744045f7b2a800a7c0c67020d9294470f3d4
-
SHA512
5a1a94c2b63a683a5281b05b998b5b35a215bab2cc47c74f332783a78a5de107f8bb15ca3c006e1672f4ab4918376f09769fa028a172b68a6ded814e4be0ed65
-
SSDEEP
49152:qb33xSNudSRZpWXd7tOvJOodL1PXdFs0Ki3lZ4/yARne:qoR2t6ld1Ln
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
938b7e042bda75e416261e46d0d4873781fd5d53c2ce6c2748b92eeb8a826598.exe
-
Size
1.9MB
-
MD5
c318036044f10d288cedac36d81a611b
-
SHA1
442245535cd0c4876f784a28fdbf6a32bb70e220
-
SHA256
938b7e042bda75e416261e46d0d4873781fd5d53c2ce6c2748b92eeb8a826598
-
SHA512
6043678915f0893b3fbca5633dc1effe2e27d0f25eb1da413b14b93aa4204334b8792fee3e67bbfc905cc0130748afbec6fc6aaf834fe7c168a430bd06d769da
-
SSDEEP
24576:MDXpgvsPjx71gWufN62I520/hjlB6iTzKF+iZpWWt5YY7tOvkIOTUQvb7Mhh21:MDevYxSNudSrZpWKd7tOvJOpb7K81
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
96d1bc7dec91a7a4e5fe653853a504e07d17e898fa437cf75e929fa909dd6bb7.exe
-
Size
1.9MB
-
MD5
793083dde2eea5178604a08fb09da307
-
SHA1
95934b5ce27e6e6460e0eb4d6f6d43f5ee152fde
-
SHA256
96d1bc7dec91a7a4e5fe653853a504e07d17e898fa437cf75e929fa909dd6bb7
-
SHA512
94cf4786a639eca98bfaf553349afae0bd68a905fe73b423399ed3a728aa572baabb08040ca778fc4bb24ce26d3deaf1cb6649e1a674570b0dfb98b205049b5c
-
SSDEEP
49152:b3BxSNudSRZpWid7tOvJOu1LhCvV1iSvz6qHtBnP8x1NABnNm6z+EknpBASLKbiu:aRrt62T
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
Built.exe
-
Size
33.3MB
-
MD5
bf496771139b8b76ab7e2e3813ce78a3
-
SHA1
949686fc9af5710904902044e92b0397b337d814
-
SHA256
92118eac9bf1f5e9cf45e2773f74163202f609125e8f0aa0a077446e6f1cd4d1
-
SHA512
ce9ab86130380ffc378ae3cd14c67c94f6034631821392aba9c8946eec07591311e7942b45cfe2dacfcae6cfe73495937be9b81790ea66824c3212fcb9cd3bc2
-
SSDEEP
786432:8Nz4CWGpXkqva096PzXf4mWy1DlIF1qqHdbrtTqslFEO:IkCWGJ446rPu/FQqjqwFd
Score8/10-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Drops file in Drivers directory
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Hide Artifacts: Hidden Files and Directories
-
-
-
Target
DHL_PT563857935689275783656385FV-GDS3535353.bat
-
Size
6KB
-
MD5
60186cd9a2e82835bc143c1fb4662b7e
-
SHA1
880c7f14743f9759b30bcc28085949122f54c20e
-
SHA256
b66081b0e5dfe21e03d1043700d7c05e65bda96ad33a6370c374217d5ae84405
-
SHA512
98ca66c502178601cf1d568fb4b5ef122564f548eae2c82c9979207ea69398212f2b35571f3cc0696ec9edb70174a016c00ddd12fc26140d63196188e6f0f8b7
-
SSDEEP
192:jOJVeUYLAKLt+IS0y+80TJco4Ga5y0p8te:QeAKZZS280FL3aw0aE
Score8/10-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
-
-
Target
DTLite.exe
-
Size
2.1MB
-
MD5
684de18cccab7719057cd4bbfbee16c3
-
SHA1
a7b956a4aca4624fb466a932d49fb3268a42b7e2
-
SHA256
fb26dcd89930afef0012125087704a3564d8ef0a37c3c6c021b42071ad273ceb
-
SHA512
a06aefaf05f3011daeb65a34a773e920b868078c3c104982546a6d5a75c3da11cf9988adb1d595264d8d3cf78f340bae2d8242ca3e6090d72e2fce747c7176cb
-
SSDEEP
49152:/1YhxSNudS5ZpWBd7tOvJOUUFBIMXxl4IPTRUN33eFvlux4NuAIBq6As/qZrUFjk:dYm54t6rUOSW
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
PDF.FaturaDetay_202407.exe
-
Size
322KB
-
MD5
3a2ba5be087162cfdb5d49ac32edd534
-
SHA1
879043e2954c4cf7f461c1381ae2a943d71bbaef
-
SHA256
7a285458817660143004002c76b1e1457666b1659dfbd35863541f62630430d0
-
SHA512
ba8dba7d1cd39b00cf6ee894809b1c09a3f72484d6dafb4ff2b2663d29247baf0565dfc3e4f0bcccb78138ffca59e9c56579485244d00f5b1bc69cfedb1c024a
-
SSDEEP
6144:CZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6BLGx1d0RjzV5Pnz63LLHBNy:kANwRo+mv8QD4+0V16xblLPkLLhNy
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
-
-
Target
PDF.exe
-
Size
258KB
-
MD5
34c2047d0b69ba023b700c21431accc0
-
SHA1
e34c28611707c81565cb73d8a1a46dfc3ab2495a
-
SHA256
ff9b39d07fd6e4a7f98d109664d91de9e318671da6412da85396541722d92799
-
SHA512
a1566d65beb8135edfcb5c4a09631bc17dff56db672621990a10d0eff37a0290c7e1e9705f1918a7e719cbea4b1cecc29bb8254da946108e9bd5432070cc8ca7
-
SSDEEP
6144:VbJhs7QW69hd1MMdxPe9N9uA0hu9TBrjJ0Xxne0AqGLj:VbjDhu9TV6xeJqG3
Score10/10-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Blocklisted process makes network request
-
Modifies Windows Firewall
-
Executes dropped EXE
-
-
-
Target
SIP.03746.XSLSX.exe
-
Size
321KB
-
MD5
a3e681364daaa68ce0177581573f483f
-
SHA1
eefb4725622f42019e475aa26439c0cf60dc7cc2
-
SHA256
a94869345f7f1f3a1bc6cca4aa94cc7bde30dcb0bb18198567ea58cc93ba2c15
-
SHA512
a071ae229d39674e53cf0051bde78b792041064a90580ab4ef51c4bec8dd4e7cc19934a3249e45df20cf3bc1aa76b28ba04f954eda9767acd2aa2092c606949b
-
SSDEEP
6144:RZABbWqsE/Ao+mv8Qv0LVmwq4FU0fNoy6oHGx1d0RjzV5Pnz63LLHBN+:PANwRo+mv8QD4+0V16oHblLPkLLhN+
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Executes dropped EXE
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Hide Artifacts: Hidden Window
Windows that would typically be displayed when an application carries out an operation can be hidden.
-
-
-
Target
a33245a27c02bbb72bf66f6bf1c960affefa8ed2a096dc1d6faa6699fe81c48a.exe
-
Size
1.9MB
-
MD5
2121a055e132df9c2b62d3ad578faa85
-
SHA1
60439cb5d41f2256eb54bbd1d84d8d04d78272ef
-
SHA256
a33245a27c02bbb72bf66f6bf1c960affefa8ed2a096dc1d6faa6699fe81c48a
-
SHA512
55039a343efd737a7488193f777ca0a44dc465f098e51241d8a0699478d72dda9f5eb8bb204e96cc81da14191475e1ff87132680ac4b5956cb1b85d06a4a6c71
-
SSDEEP
24576:kDLnN/pjx71gWufN62I520/hjlB6iTzKF+iZpWSsZrKp0HqGmyejFyzXYVN4on59:kDLn7xSNudSrZpWLwG8bvn59
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
arwbjuh.exe
-
Size
294KB
-
MD5
2b292145e4ec28e8bd8b22c1353543d1
-
SHA1
d9b9d23b2c320efcaf54ddcba8b42540f3934aa0
-
SHA256
60bda530b226d63299968670e256a9a2896ab69076e16792436e92f95bc0d0e0
-
SHA512
2b0cd9732b39fb99b37a0a67c091083e31989c9e41a2c9be6da8f3d10382d65d27a79968dc9c9abc55bf659d47898d17f9f4a6873a0046612ca76733cd50ca58
-
SSDEEP
3072:Dq3vlb4qEAkDhZdrTbLC9VZBjnNgRM6Fh:DybjEXFZd3C9VZ7eF
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
bjutbht.exe
-
Size
294KB
-
MD5
9442e7f51753f9ef3604a13e459334aa
-
SHA1
b8ecc6920c4fca9725fbc78d6684359c88b8224a
-
SHA256
7e0623dbd4975ddc7790c45c9407527c048cb04727ddf757e70f7d5b702703fd
-
SHA512
5af0b0653245ebc1a1aac4cca90d2bb53b48bea25a8f104cbd3e410f1374ef86a578fc56b3c7d42fc9bb0a5b22db97b007805da72528c89dca575c8196361cce
-
SSDEEP
3072:lCHi6zfNNcKW0PNXiWIztAq/czUZrHFdOIMRsSHHi:lezVlPxbKpEqiHH
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
black.bat
-
Size
7KB
-
MD5
1527117f206e85215dc0b306ff303997
-
SHA1
058297bbc06690c0fc1614a27dccab912acbfd01
-
SHA256
8ea56b9b4f79485aedb615161ba64c55950a6970f21dc0f2a7691dd66de91cd2
-
SHA512
490de266e4516bee0cc6075ec693cbe53c629a1f9740df94951b780745ea67b452b96b6d4e413d9a144e2f853da4cbd0bfab86638440daf8cc7ac9a1269c4e4f
-
SSDEEP
192:9y/GNQigY2Nw9GKNCufevytXrrLe57YKRZ280QDdc28eNMqMzDWZ:9EGNrJzsKUufKytXr2OKH0Mi28eNMqM2
Score8/10-
Blocklisted process makes network request
-
-
-
Target
borlndmm.dll
-
Size
2.8MB
-
MD5
eb6fad4894d0b420b92c00acda8122ae
-
SHA1
8be6dfa8e216d2f7b68f2ab05e63a78fa51374f6
-
SHA256
18a26f67712f75a9251e8350089fc83d55c33f2fa82c46e5f67f1d6dc5716a4a
-
SHA512
4cbaad723076f539788acca418dcc9234d0c9d2978978a855cd670a6ad2300ebe4bb28c35fc048494df30c9d76bead5b6aae1b26168e6e0b230d34ac8797202e
-
SSDEEP
49152:1MkOevf30HlhHRPErtXFqVn1P2Rt8fUaRMXA3IloTf7OFk/41NjwT7x7uFh1hz:kY1Un1P2Rt8fUaRMXkuwB7uF5z
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Blocklisted process makes network request
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
-
-
Target
ccleaner.exe
-
Size
1.9MB
-
MD5
a7e44b01b9f23031067e9032196cc0ba
-
SHA1
c8c763e9cc7a1eeb724a1c54f92f29e2f5382ce4
-
SHA256
ba5067481b31085ae5222f912097d54125dcc97c6551396f11974ae4bec2bd98
-
SHA512
caa6feb23c2bcdcfd8affafddcf71bd03fbe44a8fa7d197e6643a3609026f1821451f998b3a9c47649c99a0271cbf481e3e47375dd91b562005091ef3706f53f
-
SSDEEP
24576:RDXpgvsPjx71gWufN62I520/hjlB6iTzKF+iZpWdt5YY7tOvkIOTbNvb7Jhh2:RDevYxSNudSrZpWxd7tOvJOtb7v8
Score1/10 -
-
-
Target
d87e2dcd2eb9763552645a34218696143fa99ac7b5173dcd04889ce9f5ddf96d.exe
-
Size
2.2MB
-
MD5
b1fb38b2b6032ca248f163aaa5cf8ae6
-
SHA1
f6dac083cd4762a832371eddcbb94362a31c58b0
-
SHA256
d87e2dcd2eb9763552645a34218696143fa99ac7b5173dcd04889ce9f5ddf96d
-
SHA512
613e75f96c2bc5d591de36e374313b9ad444fc62126b056d2d62f402dd0182fadba78e04d4602c3dd34445629a3d9f7e1f46d15ab61992c73f1e4371700337a3
-
SSDEEP
49152:sxSNudSnZpWDd7tOvJOodL1PXdFs0Ki3lZ4q:rn6t6ld1z
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
-
-
Target
dwvhgtd.exe
-
Size
294KB
-
MD5
846954f6bb92d6152358220de974eadb
-
SHA1
2c48027755783d35b163a43b62ffafba8345155d
-
SHA256
aac7b251e062ab7269ce69a144a2587b21c054bb166464e23b0cbf9d37d13f59
-
SHA512
a6fc58543c6f6ad62ea73d60790b58ab758e8be2e7300a844f5032e991b8cd9472105eec9ff88035dff7f176f1f838776ed256db618087b6da70e1c332fd56c7
-
SSDEEP
3072:Vq3vlbw7VtyD3Y8xgpLJuMg9h4XE7mbggyF3cE1VEzLSnhl6AJ:VybGnS6LJuwfgZME1ESniA
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
file.exe
-
Size
294KB
-
MD5
9442e7f51753f9ef3604a13e459334aa
-
SHA1
b8ecc6920c4fca9725fbc78d6684359c88b8224a
-
SHA256
7e0623dbd4975ddc7790c45c9407527c048cb04727ddf757e70f7d5b702703fd
-
SHA512
5af0b0653245ebc1a1aac4cca90d2bb53b48bea25a8f104cbd3e410f1374ef86a578fc56b3c7d42fc9bb0a5b22db97b007805da72528c89dca575c8196361cce
-
SSDEEP
3072:lCHi6zfNNcKW0PNXiWIztAq/czUZrHFdOIMRsSHHi:lezVlPxbKpEqiHH
Score10/10-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
-
-
Target
helper.bat
-
Size
27KB
-
MD5
8d987e2f2fef6f2bd726d392bac46c55
-
SHA1
64ab8a696b52189d5fd809da924d1dc36e07d7c3
-
SHA256
10e4a6b54cc0cf4d18dde8b69e0b305abe487e07ed990c5bff82ce30b217b910
-
SHA512
a8c48da620cfc0b4ea55efba87a98625e4b1eaf4553006a259fc5915836afcdee413180d1dcfc40ab8830741257f5ab723d4536788b0d751a6ba8a28cbfcdf45
-
SSDEEP
768:AZWM6xwaPdP30trmRblevg8heVbaEUdLQdy6VTRZE3mn:ZM6xzR30ZmRb4YI2TILQdy6VTRL
Score10/10-
AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
-
Async RAT payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
-
-
Target
setup.exe
-
Size
5.0MB
-
MD5
d6dd2275a92bd37adb3a886255a431ef
-
SHA1
a28933f79041f29a681cfb444fc7b8d63435c510
-
SHA256
e51f3f998cd7c0783deb68c18c39b6ccf77f5dca0b611ddd23dcf09845ab8b31
-
SHA512
1c303bf3dfc8ba54d02096615cdbf34752a312c2478f16c3fc38a8e75b2ab0619fb46e434b2b96aa89114873c3659db91fb9e0308fe47d91d0b9124e48814ded
-
SSDEEP
98304:Cf6hoGwhlxoORmkoq6LoTxHVo81F728I/e6KMMj9BZCloOhyNnh+IDQxb:avpeAZILoTFT1s8n9TfhdDQB
Score7/10-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
2Hidden Window
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2