badrabbit

Sharing

General

Target

ZRK 1.1_[unknowncheats.me]_.zip
Size

25.4MB
Sample

241014-q6cnaaybra
MD5

4560fd3efd98936cf685856b970df29e
SHA1

32279586bdc00bcd416c7c53ab18408f164811fb
SHA256

ef483723ac88d655dfc5f08537cbc7ca6bef3ca2c2f34fd1ade321156f4efe08
SHA512

64df28409b1b49b808eca078bee16cf39b4e0f4510695eab46612bcbcd4a004ad47033bb8f181040fc3983f5061b3135867f2563ae914580a297ece21ba2d5f7
SSDEEP

786432:z02m2RJDDwj7Itne3z5m3H/u9j+s1UZkyzCnNKi:z06fmItn4zWH/8CYUKkCNKi

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Userdata.exe
copy_folder
Userdata
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_vcexssuhap
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ZRK 1.1_[unknowncheats.me]_.zip
- Size
  
  25.4MB
- MD5
  
  4560fd3efd98936cf685856b970df29e
- SHA1
  
  32279586bdc00bcd416c7c53ab18408f164811fb
- SHA256
  
  ef483723ac88d655dfc5f08537cbc7ca6bef3ca2c2f34fd1ade321156f4efe08
- SHA512
  
  64df28409b1b49b808eca078bee16cf39b4e0f4510695eab46612bcbcd4a004ad47033bb8f181040fc3983f5061b3135867f2563ae914580a297ece21ba2d5f7
- SSDEEP
  
  786432:z02m2RJDDwj7Itne3z5m3H/u9j+s1UZkyzCnNKi:z06fmItn4zWH/8CYUKkCNKi
Score

8^/10

discovery persistence upx
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1 behavioral2
- Target
  
  ZRK 1.1 UC/ZRK 1.1.exe
- Size
  
  3.4MB
- MD5
  
  2ca19aa3d5216097c87698c0b569273d
- SHA1
  
  888e1e0eb175a4fef28d0d1285de3cb1605935da
- SHA256
  
  996a9b97adfd11ecb4d3c29fa4b1ca3d0c606b924c5affc9c2eb2846878cee37
- SHA512
  
  21285f484b73381e0b5598456238e585b73bfd37ef36a77c373a9f8696be4f360f42dbdcdb6d3509c332d3c9094e8fad93728d55c9c29451cdcd10506d9c3155
- SSDEEP
  
  49152:/u8OcIghRNkpSbKGvSHTNP9gt0H0XBWspHXWtKdfgzcv+IaiqE8MrCBpgTY840lG:WCk0bKWEP9jHOB7XWtsf2QA5pgTY8Dl
Score

1^/10
behavioral3 behavioral4
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/MSVCP140.dll
- Size
  
  576KB
- MD5
  
  01b946a2edc5cc166de018dbb754b69c
- SHA1
  
  dbe09b7b9ab2d1a61ef63395111d2eb9b04f0a46
- SHA256
  
  88f55d86b50b0a7e55e71ad2d8f7552146ba26e927230daf2e26ad3a971973c5
- SHA512
  
  65dc3f32faf30e62dfdecb72775df870af4c3a32a0bf576ed1aaae4b16ac6897b62b19e01dc2bf46f46fbe3f475c061f79cbe987eda583fee1817070779860e5
- SSDEEP
  
  12288:xI88L4Wu4+oJ+xc39ax5Ms4ETs3rxSvYcRkdQEKZm+jWodEEVh51:xD89rxZfQEKZm+jWodEEP5
Score

1^/10
behavioral5 behavioral6
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/MSVCP140_1.dll
- Size
  
  30KB
- MD5
  
  0fe6d52eb94c848fe258dc0ec9ff4c11
- SHA1
  
  95cc74c64ab80785f3893d61a73b8a958d24da29
- SHA256
  
  446c48c1224c289bd3080087fe15d6759416d64f4136addf30086abd5415d83f
- SHA512
  
  c39a134210e314627b0f2072f4ffc9b2ce060d44d3365d11d8c1fe908b3b9403ebdd6f33e67d556bd052338d0ed3d5f16b54d628e8290fd3a155f55d36019a86
- SSDEEP
  
  384:rOY/H1SbuIqnX8ndnWc95gW3C8c+pBj0HRN7bULkcyHRN7rxTO6iuQl9xiv:yYIBqnMdxxWd4urv
Score

1^/10
behavioral7 behavioral8
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Core.dll
- Size
  
  5.7MB
- MD5
  
  817520432a42efa345b2d97f5c24510e
- SHA1
  
  fea7b9c61569d7e76af5effd726b7ff6147961e5
- SHA256
  
  8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a
- SHA512
  
  8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441
- SSDEEP
  
  98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
Score

1^/10
behavioral10 behavioral9
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5DBus.dll
- Size
  
  426KB
- MD5
  
  0e8ff02d971b61b5d2dd1ac4df01ae4a
- SHA1
  
  638f0b46730884fa036900649f69f3021557e2fe
- SHA256
  
  1aa70b106a10c86946e23caa9fc752dc16e29fbe803bba1f1ab30d1c63ee852a
- SHA512
  
  7ba616ede66b16d9f8b2a56c3117db49a74d59d0d32eaa6958de57eac78f14b1c7f2dbba9eae4d77937399cf14d44535531baf6f9db16f357f8712dfaae4346a
- SSDEEP
  
  6144:ZLvnUJ17UTGOkWHUe/W9TgYMDu96ixMZQ8IlXbKgp8aIDeN:KP7cGOGegTwu96ixMZQtlrPN
Score

10^/10

darkcomet remcos host agilenet aspackv2 defense_evasion discovery evasion persistence ransomware rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Enables test signing to bypass driver trust controls
  Allows any signed driver to load without validation against a trusted certificate authority.
  defense_evasion
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- ASPack v2.12-2.42
  Detects executables packed with ASPack v2.12-2.42
  aspackv2
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Legitimate hosting services abused for malware hosting/C2
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Modifies WinLogon for persistence
  persistence
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Gui.dll
- Size
  
  6.7MB
- MD5
  
  47307a1e2e9987ab422f09771d590ff1
- SHA1
  
  0dfc3a947e56c749a75f921f4a850a3dcbf04248
- SHA256
  
  5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e
- SHA512
  
  21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14
- SSDEEP
  
  49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
Score

6^/10

discovery
- Downloads MZ/PE file
- Legitimate hosting services abused for malware hosting/C2
behavioral13 behavioral14
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Network.dll
- Size
  
  1.3MB
- MD5
  
  3569693d5bae82854de1d88f86c33184
- SHA1
  
  1a6084acfd2aa4d32cedfb7d9023f60eb14e1771
- SHA256
  
  4ef341ae9302e793878020f0740b09b0f31cb380408a697f75c69fdbd20fc7a1
- SHA512
  
  e5eff4a79e1bdae28a6ca0da116245a9919023560750fc4a087cdcd0ab969c2f0eeec63bbec2cd5222d6824a01dd27d2a8e6684a48202ea733f9bb2fab048b32
- SSDEEP
  
  24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
Score

8^/10

discovery evasion persistence ransomware
- Disables Task Manager via registry modification
  evasion
- Downloads MZ/PE file
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral15 behavioral16
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Qml.dll
- Size
  
  3.4MB
- MD5
  
  d055566b5168d7b1d4e307c41ce47c4b
- SHA1
  
  043c0056e9951da79ec94a66a784972532dc18ef
- SHA256
  
  30035484c81590976627f8face9507caa8581a7dc7630cccf6a8d6de65cab707
- SHA512
  
  4f12d17aa8a3008caa3ddd0e41d3ed713a24f9b5a465ee93b2e4beccf876d5bdf0259aa0d2dd77ad61bb59dc871f78937ffbe4d0f60638014e8ea8a27caf228d
- SSDEEP
  
  98304:iPnt09+kVh2NrSdSG779LLLS/o/L4YqoY0Xba+mRRH2T:iPnt2ZVhT
Score

10^/10

badrabbit mimikatz defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware trojan upx
- BadRabbit
  Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
  ransomware badrabbit
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- mimikatz is an open source tool to dump credentials on Windows
- Disables RegEdit via registry modification
  evasion
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- Impair Defenses: Safe Mode Boot
  defense_evasion
- Adds Run key to start application
  persistence
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Modifies Windows Firewall
  evasion
- Modifies WinLogon for persistence
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral17 behavioral18
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5QmlModels.dll
- Size
  
  428KB
- MD5
  
  2030c4177b499e6118be5b9e5761fce1
- SHA1
  
  050d0e67c4aa890c80f46cf615431004f2f4f8fc
- SHA256
  
  51e4e5a5e91f78774c44f69b599fae4735277ef2918f7061778615cb5c4f6e81
- SHA512
  
  488f7d5d9d8deee9bbb9d63dae346e46efeb62456279f388b323777999b597c2d5aea0ee379bdf94c9cbcfd3367d344fb6b5e90ac40be2ce95efa5bbdd363bcc
- SSDEEP
  
  6144:k1tE6lq982HdyuEZ5gw+VHDZjZ0yOWm7Vdcm4GyasLCZCu6vdQp:k1tEuq9Hdyuo5gwguyOtVIup
Score

8^/10

discovery persistence
- Drops file in Drivers directory
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Legitimate hosting services abused for malware hosting/C2
behavioral19 behavioral20
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Quick.dll
- Size
  
  4.0MB
- MD5
  
  65f59cfc0c1c060ce20d3b9ceffbaf46
- SHA1
  
  cfd56d77506cd8c0671ca559d659dab39e4ad3c2
- SHA256
  
  c81ad3c1111544064b1830c6f1aef3c1fd13b401546ab3b852d697c0f4d854b3
- SHA512
  
  d6f6dc19f1a0495026cba765b5a2414b6af0dbfc37b5aceed1cd0ae37b3b0f574b759a176d75b01edd74c6ce9a3642d3d29a3fd7f166b53a41c8978f562b4b50
- SSDEEP
  
  49152:EcDwCQsvkBD+ClI3IAVLA7Tr15SokomoqxQhT2bAssCFEUGX5ig:E7CKPsA3p0Z/QV/sS3Ag
Score

1^/10
behavioral21 behavioral22
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Svg.dll
- Size
  
  322KB
- MD5
  
  03761f923e52a7269a6e3a7452f6be93
- SHA1
  
  2ce53c424336bcc8047e10fa79ce9bce14059c50
- SHA256
  
  7348cfc6444438b8845fb3f59381227325d40ca2187d463e82fc7b8e93e38db5
- SHA512
  
  de0ff8ebffc62af279e239722e6eedd0b46bc213e21d0a687572bfb92ae1a1e4219322233224ca8b7211ffef52d26cb9fe171d175d2390e3b3e6710bbda010cb
- SSDEEP
  
  6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
Score

1^/10
behavioral23 behavioral24
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5WebSockets.dll
- Size
  
  145KB
- MD5
  
  a016545f963548e0f37885e07ef945c7
- SHA1
  
  cbe499e53ab0bd2da21018f4e2092e33560c846f
- SHA256
  
  6b56f77da6f17880a42d2f9d2ec8b426248f7ab2196a0f55d37ade39e3878bc6
- SHA512
  
  47a3c965593b97392f8995c7b80394e5368d735d4c77f610afd61367ffe7658a0e83a0dbd19962c4fa864d94f245a9185a915010afa23467f999c833982654c2
- SSDEEP
  
  3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
Score

1^/10
behavioral25 behavioral26
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/Qt5Widgets.dll
- Size
  
  5.2MB
- MD5
  
  4cd1f8fdcd617932db131c3688845ea8
- SHA1
  
  b090ed884b07d2d98747141aefd25590b8b254f9
- SHA256
  
  3788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358
- SHA512
  
  7d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199
- SSDEEP
  
  49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
Score

1^/10
behavioral27 behavioral28
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/bin/VCRUNTIME140.dll
- Size
  
  99KB
- MD5
  
  971dbbe854fc6ab78c095607dfad7b5c
- SHA1
  
  1731fb947cd85f9017a95fda1dc5e3b0f6b42ca2
- SHA256
  
  5e197a086b6a7711baa09afe4ea7c68f0e777b2ff33f1df25a21f375b7d9693a
- SHA512
  
  b966aab9c0d9459fada3e5e96998292d6874a7078924ea2c171f0a1a50b0784c24cc408d00852bec48d6a01e67e41d017684631176d3e90151ec692161f1814d
- SSDEEP
  
  1536:RCKWZGuEK0mOLSTxoPl9GIcuZrxi4hXX9oix8H+NCIecbGShwZul:RFWY1WxgGStJ8H2CIecbG36
Score

1^/10
behavioral29 behavioral30
- Target
  
  ZRK 1.1 UC/src/PyQt5/Qt5/translations/qt_ar.qm
- Size
  
  130B
- MD5
  
  8ff05b56c0995f90a80b7064aa6e915c
- SHA1
  
  d5aeb09ae557ceefb758972ec4ac624cddc9e6a7
- SHA256
  
  a8a1b0d6f958e7366d1c856be61000106d3e7fc993fb931675369892b9002d0b
- SHA512
  
  5374e0f1d3f5a6a456b00732de8005787b17ecef9c8a2b2c1228966a6a8de211700334d8fd789dad269f52d0aeed3f5160010ca60909861e270c253b3ea881a4
Score

3^/10

discovery
behavioral31 behavioral32