Overview

overview

10

Static

static

1

RNSM00309.7z

windows7-x64

10

Resubmissions

15-11-2024 10:27

241115-mhkgfawpbm 1

13-11-2024 17:24

241113-vy5rbazjfj 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RNSM00309.7z

  • Size

    2.2MB

  • Sample

    241113-vy5rbazjfj

  • MD5

    4e649bb49bbb535557a97f987259c701

  • SHA1

    f705f30ce7b16a957e88f24a7fe401fc489a07ef

  • SHA256

    1600aa05440a0e8020f0ac6624e9eb177b2c76b0fbdb8baff60fce1e5514fe77

  • SHA512

    7a4ca45e7f936fa43d5b69d31358bc105c1cf7f9fe9b404a83f36cdce940b6a18c16f005e06624abf4ebd031bf7942e23e46dbb8e2617eda47f250faf41c79ca

  • SSDEEP

    49152:pEqkI1iXTIV2Ah0RwzLoKJnD3kg2/S+sMqi0jeAjc1MTiKqbwy:pZiXTiYKtD2S+sMlhA9cbj

Score
10/10
lokibotnetwireremcoshostbotnetcollectiondefense_evasiondiscoveryexecutionimpactpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

netwire

C2

37.233.101.73:8888

213.152.162.104:8747

213.152.162.170:8747

213.152.162.109:8747

213.152.162.89:8747

109.232.227.138:8747

109.232.227.133:8747

213.152.161.211:8747

213.152.162.94:8747

213.152.161.35:8747

213.152.180.5:8747
Attributes
  • activex_autorun

    true

  • activex_key

    {II4160M1-EM5E-6FAH-8P84-A45Y2F264V3P}

  • copy_executable

    true

  • delete_original

    true

  • host_id

    02.12

  • install_path

    %AppData%\Install\Host.exe

  • keylogger_dir

    %AppData%\Logs\

  • lock_executable

    true

  • mutex

    sIujulKF

  • offline_keylogger

    true

  • password

    DAWAJkurwoKASEniePIERDOL

  • registry_autorun

    true

  • startup_name

    system

  • use_mutex

    true

Extracted

Family

lokibot

C2

http://sariraatjgaye.com/dew/fre.php

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

173.212.238.224:4444

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_mfmmvpnarpquguk

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RNSM00309.7z

    • Size

      2.2MB

    • MD5

      4e649bb49bbb535557a97f987259c701

    • SHA1

      f705f30ce7b16a957e88f24a7fe401fc489a07ef

    • SHA256

      1600aa05440a0e8020f0ac6624e9eb177b2c76b0fbdb8baff60fce1e5514fe77

    • SHA512

      7a4ca45e7f936fa43d5b69d31358bc105c1cf7f9fe9b404a83f36cdce940b6a18c16f005e06624abf4ebd031bf7942e23e46dbb8e2617eda47f250faf41c79ca

    • SSDEEP

      49152:pEqkI1iXTIV2Ah0RwzLoKJnD3kg2/S+sMqi0jeAjc1MTiKqbwy:pZiXTiYKtD2S+sMlhA9cbj

    Score
    10/10
    lokibotnetwireremcoshostbotnetcollectiondefense_evasiondiscoveryexecutionimpactpersistenceransomwareratspywarestealertrojan

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Lokibot family

      lokibot

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Netwire family

      netwire

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Contacts a large (7712) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

      discovery

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

      discovery

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomwaredefense_evasionimpactexecution

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1
T1047

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Direct Volume Access

1
T1006

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Network Service Discovery

2
T1046

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

Remote System Discovery

1
T1018

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

2
T1490

Tasks