General

  • Target

    super duper ultimate robbery gang.zip

  • Size

    5.8MB

  • MD5

    2d0dcaa2ef56cd6d2fe9bd8c7f576471

  • SHA1

    13954dd3862e78b72f3abf8610ef5298bfc06abd

  • SHA256

    b22f7f97d15127377296e1115f8e8fba93e5d7acb17cbf3db258af6ccb9b6a79

  • SHA512

    0579202f7bb94b157ed873e1ac28c260321808ec22d5621c16fba5c05e09a3db61c10900d52a0fa15a588787c02dae362ae9cd234f3c2ff847c96aedade36aca

  • SSDEEP

    98304:U/2wGe6OWquScT7QdA0x5UnUWlpbPoGch9bjOBTiXmA+/CBmn82vEUX6e5exzonR:tLqpcT7QdxvULl9yhs9h/mp2ekexzoA0

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

ZFt9dPZbK7Z1

Attributes
  • delay

    3

  • install

    true

  • install_file

    test.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

darkcomet

Botnet

Guest16

C2

127.0.0.1:1604

Mutex

DC_MUTEX-83M2HE1

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    a41jikRrG7Ty

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

darkcomet

Botnet

valorant

C2

127.0.0.1:1604

Mutex

DC_MUTEX-FV0KX58

Attributes
  • InstallPath

    Windows Gezgini/exploore.exe

  • gencode

    o2wpkDU8nSnV

  • install

    true

  • offline_keylogger

    true

  • persistence

    true

  • reg_key

    google

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.168.56.1:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7NRWI3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Async RAT payload 1 IoCs
  • Asyncrat family
  • Darkcomet family
  • Remcos family
  • Unsigned PE 5 IoCs

    Checks for missing Authenticode signature.

Files

  • super duper ultimate robbery gang.zip
    .zip
  • AsyncClient.exe
    .exe windows:4 windows x86 arch:x86

    f34d5f2d4577ed6d9ceec516c1f5a744


    Headers

    Imports

    Sections

  • Valorant Aimbot.exe
    .exe windows:4 windows x86 arch:x86

    e5b4359a3773764a372173074ae9b6bd


    Headers

    Imports

    Sections

  • dark web setup.exe
    .exe windows:5 windows x86 arch:x86

    1494de9b53e05fc1f40cb92afbdd6ce4


    Code Sign

    Headers

    Imports

    Sections

  • google.exe
    .exe windows:4 windows x86 arch:x86

    e5b4359a3773764a372173074ae9b6bd


    Headers

    Imports

    Sections

  • x-ray mc fre.exe
    .exe windows:5 windows x86 arch:x86

    6e326715b064080305ea2c7299a1a146


    Headers

    Imports

    Sections

  • yandoxx.exe
    .exe windows:6 windows x64 arch:x64

    3283db44436f9cda0258af37cca51bae


    Headers

    Imports

    Exports

    Sections