Overview

overview

10

Static

static

3

2 DEMNADA ...AL.exe

windows7-x64

10

2 DEMNADA ...AL.exe

windows10-2004-x64

10

2 DEMNADA ...32.dll

windows7-x64

3

2 DEMNADA ...32.dll

windows10-2004-x64

3

2 DEMNADA ...32.dll

windows7-x64

3

2 DEMNADA ...32.dll

windows10-2004-x64

3

2 DEMNADA ...ar.dll

windows7-x64

3

2 DEMNADA ...ar.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2DEMNADALABORAL-JUZGADO02CIVILDELCIRCUITORAMAJUDICIAL.zip

  • Size

    2.9MB

  • Sample

    240830-valcrsvgjp

  • MD5

    43f189bd6eb0880f13a79f979e2eae63

  • SHA1

    a8e2ad46e48a941e37b1436e5e0d96804d2e835c

  • SHA256

    5dbd0331888e0ebb32973f77a94a26e68b8563e68a0c66062b96eab5fdd1a35e

  • SHA512

    35f781ff44b2832e9b2306fa240f0a56cf006d9acc616e3ce397da9af408c246034b1781500719e36f62e5b6ff07df02a7e58b8996bd4fe448a615b6a6683d1d

  • SSDEEP

    49152:VEUZ+mVZJu0sMSaaIBWSWSaSlLa36cBmU6CD/q8aonw+L6RW77HQztvbUAmss3K1:euJluGxKT4q68mNCD/q8vw+L37HotzUU

Score
10/10
asyncratremcosdefaultremotehostdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

C2

enviasept.duckdns.org:3030

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://bitbucket.org/556ghfhgfhgf/fdsfdsf/downloads/dllhope.txt

Extracted

Family

remcos

Botnet

RemoteHost

C2

sost2024ene.duckdns.org:1213

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZJ3RBQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/1 DEMANADA LABORAL.exe

    • Size

      3.1MB

    • MD5

      b841d408448f2a07f308ced1589e7673

    • SHA1

      f5b5095c0ed69d42110df6d39810d12b1fa32a1e

    • SHA256

      69a90665113bd73b30360d87f7f6ed2c789a90a67f3b6e86474e21273a64f699

    • SHA512

      a689734048109ab7bec9491bbb7781686c19c7885166b3ca2975e2f49e956fcc388cd8ca85a4e5a8bf9efe6056f1e0d80197b7f521d4f0d4cadb10ba9ef1fa93

    • SSDEEP

      49152:pvFg5qg9BtIAHE3SM4ahx6LK2SamuZob+tCjNrv8:Jm5qGBHBLRKuZfkjNrv8

    Score
    10/10
    asyncratdefaultdiscoveryexecutionratremcosremotehost

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Legitimate hosting services abused for malware hosting/C2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/madHcNet32.dll

    • Size

      921KB

    • MD5

      d22b9da713ab36102c9c3d812af8c12d

    • SHA1

      371fdbf6ae6a9a2e5c0560fc94eba3290028a252

    • SHA256

      95b538b47e02d0ad2bd15d47efc18695d5e379ef61568b81ef405773d9c199bb

    • SHA512

      e5ae51f79403358af60bb3ea663251badac57414813f5537d763b0b95504a393fb2d34c94c4b7328ec13f58e74a7147d3a72e63e62973c4c5d80671be1c8face

    • SSDEEP

      24576:TlUbWq3/gquYUJ4Vgv0eUnDaE0efxfXT95:pUR4quYUJ4VgceXE0gxfjv

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/mvrSettings32.dll

    • Size

      1022KB

    • MD5

      a5a41ff8944533f25e059870f34e375f

    • SHA1

      26390818928bd4345bdc4cd521f90f9b36a54f75

    • SHA256

      af25aa87e44194bc4a6e1b82154db9b64e25be13951ecfb87d080208f75a4638

    • SHA512

      9cac6a25af5ef2c34fe01b0d4e67f0f218b2a5616402d8fab94570c0e60df88e748aa229eace1f0c7fb5c23742b3c7f7fa7f739a9bc1ee965a251006e13b2931

    • SSDEEP

      12288:GwsG8YWuTCipwKm3ZCdX+y0Cg57ZrVmK5UhYX5NN/u3ZeEb+LJkzuol1Y:MmWuFKKVuig5jZ5xX5P2bKyzum

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      2 DEMNADA LABORAL- JUZGADO 02 CIVIL DEL CIRCUITO RAMA JUDICIAL/unrar.dll

    • Size

      304KB

    • MD5

      851c9e8ce9f94457cc36b66678f52494

    • SHA1

      40abd38c4843ce33052916904c86df8aab1f1713

    • SHA256

      0891edb0cc1c0208af2e4bc65d6b5a7160642f89fd4b4dc321f79d2b5dfc2dcc

    • SHA512

      cdf62a7f7bb7a6d511555c492932e9bcf18183c64d4107cd836de1741f41ac304bd6ed553fd868b442eaf5da33198e4900e670cd5ae180d534d2bd56b42d6664

    • SSDEEP

      6144:e2Gk6wDaKov/5qrawOZI8uN0f/UVvN3MwdZFmiVFC+OEu:e2GkNo35qrawqmG/yM8PmiO+Ol

    Score
    3/10
    discovery
    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks