Overview

overview

10

Static

static

5

#10302024.exe

windows10-ltsc 2021-x64

7

102924_5830760.exe

windows10-ltsc 2021-x64

10

103024_37663.exe

windows10-ltsc 2021-x64

7

240827 YON...SS.exe

windows10-ltsc 2021-x64

8

AWB #281024..scr

windows10-ltsc 2021-x64

8

EE85716273pdf.vbs

windows10-ltsc 2021-x64

10

Produccion.exe

windows10-ltsc 2021-x64

10

Quotation.exe

windows10-ltsc 2021-x64

10

報價請�...��.vbs

windows10-ltsc 2021-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malware-collection.zip

  • Size

    5.6MB

  • Sample

    241106-clpkfsvram

  • MD5

    27023b38ea750270fcbba58aca2b0a63

  • SHA1

    5929d8c60a6f076178fd79884cb472124b5e0950

  • SHA256

    9711e0f1f4b1ea97ecf7ddfe05b27c8f712533c2141f6e2b064d636076e76652

  • SHA512

    7999f40bd74733de62af8c7f2a74b7de02ddbc244f97c13c4ec1ec8cae004b94a607b64e0d4d558858cb9e0e91c1ebccab9b3c1ff65f0e84f3ff26be0901bf79

  • SSDEEP

    98304:jSyt/B7v5M8DuR4KL1DMLTnnvGZRX3PlCdHpeaOMSe0EfARTZs8sJ2B8FQXY6+f:Wyt/BTuFWLTnnvGZRvzR7Cfuz8FGk

Score
10/10
agentteslaguloaderremcosvipkeyloggerremotehostcollectioncredential_accessdiscoverydownloaderevasionexecutionkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ris4sts8yan0i.duckdns.org:23458

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LAZAF7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7777204705:AAGdGJgXaEaWvE6yXv7RvWYjJkTQCsiDnJc/sendMessage?chat_id=7698865320

Extracted

Family

agenttesla

Credentials

Targets

    • Target

      #10302024.exe

    • Size

      1.5MB

    • MD5

      432523c2a91f208ce00e9aa553c25883

    • SHA1

      00fc307df8d7970dc4ca4c9f786d025d1032aeee

    • SHA256

      a131f667cc1c8ab17777294ffc556a8b45dd726452ccc10d716daa39d256d3a6

    • SHA512

      7a1e1f31b79bb9eff8a7463b7bb40aeb837584c990bce85b6189c07597c6bc12e17fecd1c09f53b163640b9f5e36cf6968c19499a7bf8a6d9210c9523361b31d

    • SSDEEP

      24576:NqDEvCTbMWu7rQYlBQcBiT6rprG8aIkLEdvEkGI66/aVKJvoWXrVTSNa:NTvC/MTQYxsWR7aIkwdvEkS6NlrV6

    Score
    7/10
    discovery

    • Drops startup file

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      102924_5830760.exe

    • Size

      810KB

    • MD5

      f7fc33c3bcded454047a6bfaf99f1452

    • SHA1

      a23a2448f373a4319fc0722b72595815d27c62c6

    • SHA256

      f392bfa146ad86308fa464a9505708645f99618d54483cbc6b746b656f26a3fb

    • SHA512

      0211b32321c50653fbf67190cd24455d997016f7cc9fe7e86457dfeda647ba326c2e0c2fa5d352a98ef4ec82724cd7ab50dc9988cb7e354f99623e0aa6740d29

    • SSDEEP

      24576:pG+yftcZ0DbBTVsVQ7LE8oy9jRKta3uja581Cj:wPcZ0BuO7L7o/a5

    Score
    10/10
    guloaderdiscoverydownloader
    behavioral2

    • Target

      103024_37663.exe

    • Size

      757KB

    • MD5

      4004659f4494c57e1747f5182d774eef

    • SHA1

      84384ab6418d2034219d75b315aebf32acf4f5b0

    • SHA256

      46622c1a6a63e6306f95c2b95265f6712c2e7a44feaa302e5cfbe802e27be7a5

    • SHA512

      b5146ddd92719f46291d9fcfaae08e82726713be7f9ea12cb1c394424b40107727660c79411750cc43f43904587f4ac004b1365a1665604fb707f9ba5633ecd9

    • SSDEEP

      12288:YWq1u4H7cGfjv0Uf93GwA8gTvRJNvCM+bM8WCvKGuxc2+PCMLXGU4y7:+3Dfjv0odgV6zM6Kp23LWby

    Score
    7/10
    discovery

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3

    • Target

      240827 YONG SHUN - GMDSS.exe

    • Size

      721KB

    • MD5

      f0e3355c1070c64e99331172426e4378

    • SHA1

      ce7ed5a4e13477785be53c78f60ddc31876d50fc

    • SHA256

      72c26861a3c6ed2f44684225894a20aef9d9c831322b5f24313e0c9ddfbf3ccb

    • SHA512

      89e51b2db7d90dd25aa3dd0cc248e0b3b44d75305e0ba5829dfc9cbb9d74cce2ac91073de326fdd67992524632a9f1f7218187c5e255177d1c1f08e125339287

    • SSDEEP

      12288:UfAbXkhMOoltiJX02vQp9XbzhNaSiVMTW9GvWbzfl/VP8MlGDDut6UrYm:pkh5oDiJNU9NwMTQ6U4JDut6UrYm

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral4

    • Target

      AWB #281024..scr

    • Size

      972KB

    • MD5

      dbea8d0867f7778d1a4ac7ee5c2ddcc9

    • SHA1

      ac3744a6d1ad36ef9d57fbb6a2f40f1a45f63637

    • SHA256

      88bb9bed8031190a16d24e5e26de559fb3ba8f7cda489b8f09cb40e2e1f2df9a

    • SHA512

      d01230eaf87229e58627d763352b56e5cca8bc4e55fe852ada3df1e16bd6b1285e110e3c7507e5a50c37c391541bf1bcad257f0eebfb55231162edc8ef15a666

    • SSDEEP

      12288:OAgyHUjQ+OXk4lpfL0ND1+EpT3T8DRngh7S54yTf+GYATqgm9MuJr6rq4YjyndWm:ZUj4uhIEpTQVMA2l9MucrZk6z

    Score
    8/10
    discoveryexecution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral5

    • Target

      EE85716273pdf.vbs

    • Size

      15KB

    • MD5

      dd2dbf4aaf7ccc943b82dda51afc985e

    • SHA1

      61a75176fefa4be72f5978319116722396a0e919

    • SHA256

      f592c9039e109241cbfd30ae6b0ec2c1098b10ca1dfa80eb427edea6564265f5

    • SHA512

      bcaaeeb59703067a86e59d94323f20347ca047c54658baf2dd4f50101a089b63407de4654138ed6dcf46a664cac0f5724322d9db86e4167d1e61b09db4a97f32

    • SSDEEP

      384:9b7o6mutReVkQRfjj+3auNjYKv5QN+pBcXg:ds6muSfe3auhYKuMpB7

    Score
    10/10
    remcosremotehostcollectioncredential_accessdiscoveryevasionratstealertrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral6

    • Target

      Produccion.exe

    • Size

      782KB

    • MD5

      df5e4c3fcbb003291a9799ac07c19718

    • SHA1

      c73ba1d8e6e30a37cf4675d3204b15b75b330b26

    • SHA256

      fd424c3fcd01bce1f07c8040bcf1c3683078c4b048528f76efc69b26b207e1a6

    • SHA512

      f6bbac1abf087bcb4730e8281d07af8aa70c86b5c476338df58cb042ff6629bcfc51e57a2ed4f18f444c53a2f2f914e170b1a2e73161701db9bbf26b7b3cc3f9

    • SSDEEP

      12288:I5gGipxk+Kugo1xj+ZY9SQ7ax6q+gdD3/86DtrmT9cPfRNLiyi7TRd8:5Giw+Jn9SQ5q+Y/gcHv+yId8

    Score
    10/10
    vipkeyloggercollectiondiscoverykeyloggerspywarestealer

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

      stealerkeyloggervipkeylogger

    • Vipkeylogger family

      vipkeylogger

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral7

    • Target

      Quotation.exe

    • Size

      1.1MB

    • MD5

      eaad92690f4cc140b25affb391767c48

    • SHA1

      2f161c2e596eaca3f903f56fc24561c610ce0bcc

    • SHA256

      6d3bda97722c347d083d7127f23eae6f28e86ee31a8b9b643826a44bdc97be69

    • SHA512

      b9755a349d09904ed4f1c702353e9f8c3e8b4063f25eb349695452bcce1f930b3473ce1a0c3f4b1749e8afbc643fc87e253188e33182c2ff0ee50ef23de67c80

    • SSDEEP

      24576:z4nhDoAFq/DZt9+jNcwHCBNFSgaEMZNXLGQ7WczkxFnfbP9b:z+hkxlijusC5SxHNXKQKczgF

    Score
    10/10
    agenttesladiscoverykeyloggerspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Agenttesla family

      agenttesla

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral8

    • Target

      報價請求 - 樣本目錄.vbs

    • Size

      156KB

    • MD5

      3655ed4ac8786b349f6c824ef9fbf58c

    • SHA1

      a2c6abe2e04a0c5548288ffdaf4a9c27bc644d0b

    • SHA256

      52bc69a2c50c4bc07047508511fe4e7c17b3f380ac3a6a2f5229330b0b1a6980

    • SHA512

      1792ca76e88342a853ffd6f35cf53956d36178811b411361a5f15499570f02d225c53e83fc4d0b3c85ce1d4009466dc289c0fbeba1984da838110eb9e6519a48

    • SSDEEP

      3072:xiHtveXendAy3yrLRKm+ay3tJuj8Sq2qb0M240PCOLvAtK3qfBHqnSBu46:xiHtveXendAy3yrslay3tJuj8Sq2qb0X

    Score
    8/10
    discovery

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Modify Authentication Process

1
T1556

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Network Service Discovery

1
T1046

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

4
T1005

Email Collection

2
T1114

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks