Overview

overview

10

Static

static

3

driverupda...xt.exe

windows7-x64

10

driverupda...xt.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    driverupdate_report_windows_10_22h2.txt.exe

  • Size

    13.8MB

  • Sample

    240908-rx617s1elk

  • MD5

    8360a6245b4ae84a5b6e4784d7802472

  • SHA1

    192f6d4a68ec867c5919a5d5fd4c782bf9c39127

  • SHA256

    393732bdd7df3cbbcc35dca3397178466f32de8ebd266ad5791c000288771bc5

  • SHA512

    38b4630ab40c84f822fe860038c4c48d0ea31ceaa23d05d01f599c08f44a3fe45113f4386f1874799dfb15e7d7930c369c2eeba11129adfa3f9154264cbcc63b

  • SSDEEP

    49152:M3QhanbDdeZ6Hfa/nkNQzlJ7r5oP3TXyymMknH76EAaIilSH7YNjMn80iA+cpUGN:Mn

Score
10/10
nanocorenjratremcosaugust crypter toolz grace stubhackedsupbootkitdefense_evasiondiscoveryevasionexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojanupx

Malware Config

Extracted

Family

remcos

Botnet

AUGUST CRYPTER TOOLZ GRACE STUB

C2

teamfavour222.ddns.net :6767

odogwuvisual123.duckdns.org:6767
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    -YFLE4M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

192.168.1.42:5552

Mutex

bf7b1fe7a7644171a9985ea45221c25c

Attributes
  • reg_key

    bf7b1fe7a7644171a9985ea45221c25c

  • splitter

    |'|'|

Extracted

Family

nanocore

Version

1.2.2.0

C2

hiatus2.ddns.net:1604

127.0.0.1:1604
Mutex

e7e30201-c342-4921-abc6-2182083982ff

Attributes
  • activate_away_mode

    true

  • backup_connection_host

    127.0.0.1

  • backup_dns_server

    8.8.4.4

  • buffer_size

    65535

  • build_time

    2024-05-31T20:09:09.303717636Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    1604

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    e7e30201-c342-4921-abc6-2182083982ff

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    hiatus2.ddns.net

  • primary_dns_server

    8.8.8.8

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Extracted

Family

remcos

Botnet

Sup

C2

deadyh2849ijest.duckdns.org:8347

deadyh2849ijest.duckdns.org:37830

highestlotto.duckdns.org:37830

highestlotto.duckdns.org:8347

highest1lotto1.duckdns.org:8347

highest1lotto1.duckdns.org:37830
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    lairup.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    gbopertj-7FGJEG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      driverupdate_report_windows_10_22h2.txt.exe

    • Size

      13.8MB

    • MD5

      8360a6245b4ae84a5b6e4784d7802472

    • SHA1

      192f6d4a68ec867c5919a5d5fd4c782bf9c39127

    • SHA256

      393732bdd7df3cbbcc35dca3397178466f32de8ebd266ad5791c000288771bc5

    • SHA512

      38b4630ab40c84f822fe860038c4c48d0ea31ceaa23d05d01f599c08f44a3fe45113f4386f1874799dfb15e7d7930c369c2eeba11129adfa3f9154264cbcc63b

    • SSDEEP

      49152:M3QhanbDdeZ6Hfa/nkNQzlJ7r5oP3TXyymMknH76EAaIilSH7YNjMn80iA+cpUGN:Mn

    Score
    10/10
    nanocorenjratremcosaugust crypter toolz grace stubhackedbootkitdefense_evasiondiscoveryevasionexecutionkeyloggerpersistenceprivilege_escalationratspywarestealertrojanupxsup

    • Modifies WinLogon for persistence

      persistence

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

      keyloggertrojanstealerspywarenanocore

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Event Triggered Execution: AppInit DLLs

      Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

      persistenceprivilege_escalation

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Checks whether UAC is enabled

      evasiontrojan

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

3
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks