Overview

overview

10

Static

static

3

DEMANDA LA...ZA.exe

windows7-x64

10

DEMANDA LA...ZA.exe

windows10-2004-x64

10

DEMANDA LA...MM.dll

windows7-x64

10

DEMANDA LA...MM.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/11/2024, 23:46 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DEMANDA LABORAL POR ABUSO DE CONFIANZA 01/WINMM.dll

  • Size

    5.0MB

  • MD5

    9d9b59e2893e58686a0cc608522102bd

  • SHA1

    b4a213c4f456ca191efc5711f0d2d819874444aa

  • SHA256

    7b91d4680dd3d290703a50db25b751cb9c7c8b612c1bed0d389ce9ace1f81333

  • SHA512

    327e63d2c5604210e8ba54d94fcd86b3dfeb91d0cf7af70110869d4f3aafbf00b4f8526defc9dcdeba36449d3fd9d6ddbb97a63ad169f4bbe8cb7a84b07ba218

  • SSDEEP

    98304:XVo25lOF7FdfzW64cv5tQpgBZwy7zJDSiQCz+acvnIpeT+4:XVoGQJF7v5tQpgBZR7zJDSiQCz+acvI1

Score
10/10
asyncratremcosplataremotehostdiscoveryratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

mastermrcol.net:6565

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-89JTT1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

PLATA

C2

mastermrcol.net:7474

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain
1
RsffhKCrfqRyGVT8dVuw00ndlvCzACdj

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Remcos family
    remcos
  • Async RAT payload 1 IoCs
    rat
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DEMANDA LABORAL POR ABUSO DE CONFIANZA 01\WINMM.dll",#1
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3396
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn "h5czQ95nhaFoPRcK" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn "h5czQ95nhaFoPRcK" /tr "C:\Users\Admin\AppData\Roaming\rundll32.exe" /sc onlogon /rl highest /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4716
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
        "C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4476
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\zjcitxakacjvpzicsunorgmlzyoysps.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1280

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    68.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    68.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    mastermrcol.net
    AsyncClient.exe
    Remote address:
    8.8.8.8:53
    Request
    mastermrcol.net
    IN A
    Response
    mastermrcol.net
    IN A
    186.114.160.77
  • flag-us
    DNS
    geoplugin.net
    svchost.exe
    Remote address:
    8.8.8.8:53
    Request
    geoplugin.net
    IN A
    Response
    geoplugin.net
    IN A
    178.237.33.50
  • flag-nl
    GET
    http://geoplugin.net/json.gp
    svchost.exe
    Remote address:
    178.237.33.50:80
    Request
    GET /json.gp HTTP/1.1
    Host: geoplugin.net
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    date: Thu, 28 Nov 2024 23:46:21 GMT
    server: Apache
    content-length: 956
    content-type: application/json; charset=utf-8
    cache-control: public, max-age=300
    access-control-allow-origin: *
  • flag-us
    DNS
    77.160.114.186.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.160.114.186.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.33.237.178.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.33.237.178.in-addr.arpa
    IN PTR
    Response
    50.33.237.178.in-addr.arpa
    IN CNAME
    50.32/27.178.237.178.in-addr.arpa
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    23.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.236.111.52.in-addr.arpa
    IN PTR
    Response
  • 186.114.160.77:6565
    mastermrcol.net
    svchost.exe
    2.2kB
     537 B
     11
    9
  • 186.114.160.77:6565
    mastermrcol.net
    svchost.exe
    1.5kB
     69.8kB
     31
    53
  • 178.237.33.50:80
    http://geoplugin.net/json.gp
    http
    svchost.exe
    347 B
     1.3kB
     6
    3

    HTTP Request

    GET http://geoplugin.net/json.gp

    HTTP Response

    200
  • 186.114.160.77:7474
    mastermrcol.net
    tls
    AsyncClient.exe
    4.4kB
     66.2kB
     51
    70
  • 186.114.160.77:6565
    mastermrcol.net
    svchost.exe
    432 B
     172 B
     6
    4
  • 186.114.160.77:6565
    mastermrcol.net
    svchost.exe
    22.0kB
     612 B
     19
    15
  • 186.114.160.77:7474
    mastermrcol.net
    tls
    AsyncClient.exe
    456 B
     321 B
     6
    4
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    68.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    68.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    mastermrcol.net
    dns
    AsyncClient.exe
    61 B
     77 B
     1
    1

    DNS Request

    mastermrcol.net

    DNS Response

    186.114.160.77

  • 8.8.8.8:53
    geoplugin.net
    dns
    svchost.exe
    59 B
     75 B
     1
    1

    DNS Request

    geoplugin.net

    DNS Response

    178.237.33.50

  • 8.8.8.8:53
    77.160.114.186.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    77.160.114.186.in-addr.arpa

  • 8.8.8.8:53
    50.33.237.178.in-addr.arpa
    dns
    72 B
     155 B
     1
    1

    DNS Request

    50.33.237.178.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
     116 B
     1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    23.236.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    23.236.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
    Filesize

    66KB

    MD5

    07554efccfc2a1b265e155f689bf46be

    SHA1

    5a5103b26e6584863f4f1e3c210edede6c58064a

    SHA256

    0e0b867c176d56b9ee2fe6ef05534d1051df3c5f05116b2af16cbe365276d6e7

    SHA512

    8ed2d1d358ac0818eb67340bfc57130e1a020007a393bc43aac42ebb7dd44d2627293e81c8a733a874f5f54a8e509ba4acbab04619b0272d95c2688192b59461

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    Filesize

    481KB

    MD5

    7351848cf8f7b5307295fd43baa212b0

    SHA1

    72e21a3a6a5d28ba4750c2dbfe68d772922c658b

    SHA256

    ace75a22a1dae4bab204a56aae3461619ed52a1315bdd1efb5197debff2268d0

    SHA512

    ba9cad85728ea0b1a7c2144e788c9f83d4a6086607b244697a641c15a5f09aad4d226772a5ea001e41ba5abf85e1d39259bbffc33f72a355fbb1804a65e79f38

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zjcitxakacjvpzicsunorgmlzyoysps.vbs
    Filesize

    500B

    MD5

    f1da013fa58295ac94372331e618f047

    SHA1

    b52f602bca7d2b9a04a55be4a1a4de857c98cbdb

    SHA256

    01df7d7ec8acb49f038a93cf1aeb9a79ddda138fa38992f477e6448689c09cd9

    SHA512

    fc1cfb5f09b5d96958d9387f582629e6691e996890ea345466fc47e214be074c9c625f3fb7f4e86d7e5b9864edcfe0d40031e6a0d6c496c5427d21bcffba26a8

    Download Submit

  • memory/3396-32-0x000000006D080000-0x000000006D57E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3396-0-0x0000000000400000-0x0000000000835000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/4476-35-0x0000000006230000-0x00000000062CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4476-31-0x0000000000E60000-0x0000000000E76000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4476-36-0x0000000006880000-0x0000000006E24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4476-37-0x00000000062D0000-0x0000000006336000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4476-38-0x000000007343E000-0x000000007343F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4476-30-0x000000007343E000-0x000000007343F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4476-44-0x0000000007430000-0x00000000074A6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4476-45-0x00000000073B0000-0x00000000073D6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/4476-46-0x00000000074B0000-0x00000000074CE000-memory.dmp

    Filesize

    120KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.