Overview

overview

10

Static

static

10

36.exe

windows7-x64

3

36.exe

windows10-2004-x64

3

Enalib.exe

windows7-x64

10

Enalib.exe

windows10-2004-x64

10

RDriver.exe

windows7-x64

8

RDriver.exe

windows10-2004-x64

8

SDriver.exe

windows7-x64

3

SDriver.exe

windows10-2004-x64

3

T.exe

windows7-x64

10

T.exe

windows10-2004-x64

10

autoruns.exe

windows7-x64

3

autoruns.exe

windows10-2004-x64

3

e.exe

windows7-x64

10

e.exe

windows10-2004-x64

10

fake jpg shit.lnk

windows7-x64

10

fake jpg shit.lnk

windows10-2004-x64

10

fake photo.lnk

windows7-x64

3

fake photo.lnk

windows10-2004-x64

7

noyjhoadw.exe

windows7-x64

10

noyjhoadw.exe

windows10-2004-x64

10

unins000.exe

windows7-x64

3

unins000.exe

windows10-2004-x64

3

use for by...ck.exe

windows7-x64

8

use for by...ck.exe

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    shitty rat and stealer collection NEW!.zip

  • Size

    8.1MB

  • Sample

    250124-qgljwszmd1

  • MD5

    db256a79d74671e4d32f9da396a8a7c4

  • SHA1

    ea2317fcf400211338e0bf0d39e92c2c5dfcfb90

  • SHA256

    e36e49e1cea0dd836cfb1dec293f5fc5c7c197c4eb2df035458a6a5d00265137

  • SHA512

    f4f5db220fe7b4cfbb650cd871ca0efcaaf4523de7e0c6ee0ca4a84b316ab4ae3aca250bb47cf3cbcb6b81d62ccfa760f935eec80f27587c61690b4d8d7db39b

  • SSDEEP

    196608:V/S3A3rlandL+7IVhRTYsw18HpZjPDFjQSJrU+u:V/S32rcdbVHbj7llpu

Score
10/10
remcosvidarxwormremotehostdiscoveryexecutionpersistenceratstealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

stopeet.camdvr.org:2404

amalar.camdvr.org:2404

prosir.casacam.net:2404
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    abj.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    b2bhdjdhbvduhdi3ed-F3Q5YI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Extracted

Family

vidar

C2

https://t.me/sc1phell

https://steamcommunity.com/profiles/76561199819539662
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

xworm

Version

5.0

Mutex

WlO6Om8yfxIARVE4

Attributes
  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/7G6zzQwJ

aes.plain

Extracted

Language
hta
Source
URLs
hta.dropper

https://80.76.51.231/Samarik

Targets

    • Target

      36.exe

    • Size

      928KB

    • MD5

      20d70cef19b44a5ad5f824f3af1a25c6

    • SHA1

      a1af206adc2a2f25b12e061dbb61934b0eff6b63

    • SHA256

      6db3f4189e0212c815067077e6ceb1c2c22fce0ed29fdf9edf741099ed94ebdb

    • SHA512

      16a53277369f36d751a3a68924688f4bc560862402e208df6d5bbf7366fec2f463fd26304109a8d48001f2ffccba4baa05fe7883dfb1a05973d38044aba14338

    • SSDEEP

      12288:MoA/DC7VtVyUHa1TQuI1OBvJd9SZ/hiYs3nHLQdrQtiYo4aAEcxyR05/L103H:MX/DC7Vpa1T/Bv9SRc7yrQz6CxyG5TyX

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      Enalib.exe

    • Size

      28KB

    • MD5

      78fc1101948b2fd65e52e09f037bac45

    • SHA1

      ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44

    • SHA256

      d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2

    • SHA512

      e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4

    • SSDEEP

      768:yQJGNK7vTOcsLqtcD9CHCQyYF4i5+kQjj3:9JGm6sHCQPMZjT

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    behavioral3behavioral4

    • Target

      RDriver.exe

    • Size

      251KB

    • MD5

      d447549e7c608504091e47ef709a5998

    • SHA1

      775734570119b304ad0f04e5c4489997ca58edb3

    • SHA256

      5227b0678f64770fbe06ac5afd7686f2f50d4b186b22012693ab9e87c0d2521f

    • SHA512

      25fc3140f397a5b4813775d516fdcf0dc8c3e8d836865c6f8a8cbf195f1fe075a439fcb8b5c53baa749891d7a8a947799be548e8289700d0352af578a9835728

    • SSDEEP

      3072:3acCeiJKEumxfRNLg4SbqLdi7+C7j/sVl163jzWiF+C:3acCeikTmx5NgmQiZ63fW

    Score
    8/10
    execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution
    behavioral5behavioral6

    • Target

      SDriver.exe

    • Size

      5.0MB

    • MD5

      54e9b7266e8a20a1ac5f5af0617e11b9

    • SHA1

      355579a2356f69f67add9fddb7e25cce7c00bc47

    • SHA256

      8efcc58cb39dc85a63d9c997d57b4c3079639a3463834b0a5c3e6333eaaa8a32

    • SHA512

      2365e84aafc9f94e19d868c96e300d8a091abb4380e6366221130d2e0804f62b94447090ae3a7e1c0a5049c09ebf77bacfbab631b4975c1663d757352295ed41

    • SSDEEP

      49152:kgYpahIIHFGZWDM6gQyGD5gSZxRXK5jNEk52EhLPVo3pfh9Mt1+z1gn6x1:kgY1wGZWJbyOXWE3tlg

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      T.exe

    • Size

      28KB

    • MD5

      78fc1101948b2fd65e52e09f037bac45

    • SHA1

      ba3fc0499ee83a3522c0d50d9faa8edcbd50ad44

    • SHA256

      d3c5ed75f450a48329ca5647cb7d201ba347bd07138ee9b43716df56dd7a1dc2

    • SHA512

      e89ffe3f5e15bbffd0cacf596439b622827fa9ca5eac2fcfd6617b84660673df18a0b50f27fda04310204f7501819865c54dc60a2ee092af8d5ce83ce4d048f4

    • SSDEEP

      768:yQJGNK7vTOcsLqtcD9CHCQyYF4i5+kQjj3:9JGm6sHCQPMZjT

    Score
    10/10
    xwormdiscoveryrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Legitimate hosting services abused for malware hosting/C2

    behavioral10behavioral9

    • Target

      autoruns.exe

    • Size

      1.7MB

    • MD5

      61506280fc7e663db6715ac2206af6d4

    • SHA1

      3b42f1e497c909d48343768b58e9e5222d540330

    • SHA256

      f41051697b220757f3612ecd00749b952ce7bcaadd9dc782d79ef0338e45c3b6

    • SHA512

      4343ace3777173fbf68c501d15011fec940f9f3eea7206712f9934bab432d15753b4c6c0369eb14b8341221992f964c5a37c23a655255572b1a13cde717b2472

    • SSDEEP

      12288:g1hJ7jnpTutVfjKHhO5VwocPYOhV6y4wO9y+IpunYtALwBzKn2CXrfZetCvmK2UI:WcaHhMcPYq6+O+puYtAcBzg/7SmGNJ

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      e.exe

    • Size

      462KB

    • MD5

      8461e97514f42d93dccb4ec7f7100453

    • SHA1

      ddb0584a3fcfa72e694ac30c06b7ac444644b863

    • SHA256

      b43cc694d316e52b7c650b72e0d0e00ab4f9430305970dcdb19a6890c87ccf90

    • SHA512

      d75d68ac42848d7c7141540fc9893f57e54cb399254565a6335be31df5bae65c3949319007b021aebf7deb21a36b1a7677d785b0d410d1e1f4427a91d30dd9ce

    • SSDEEP

      6144:nOFBH/FMNjt18F+9a/NgAeDB4CcOtKp03b13a4LJ+sAOZZPWXbTcU2yg:nOFtiNBuFgawDB4NOmuwsfZPlyg

    Score
    10/10
    remcosdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos
    behavioral13behavioral14

    • Target

      fake jpg shit.lnk

    • Size

      990B

    • MD5

      55f505fdd270f4f0d4c7e81774b1b3cc

    • SHA1

      3092ceda61f0a92602e2795638cd5e79af841271

    • SHA256

      3e4332ad46766087b51aac9c3150cf373da5cc12414a3f40668df718fa7ed2d6

    • SHA512

      54cfde5698c681b46afa6cd5ed436eadb76404d831ad112ac3a753f82a5725a5592d129c9fcbf870bb4d9bfee398869f653ca1dd74e06e7f6e71c2cca9bf6ee6

    Score
    10/10
    execution

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Drops file in System32 directory

    behavioral15behavioral16

    • Target

      fake photo.lnk

    • Size

      1KB

    • MD5

      3a9349af006440c7e0da677724551239

    • SHA1

      70075bb3b999e825e328302b462deb1aa337b663

    • SHA256

      00401651af3194ede5157004b6dbe1edf836a94ca182221f2c034201fe55e4dc

    • SHA512

      588d9ea0c7d770adf1be9c887ef2f2cdb42a7205d2dd1288cda193cd1d99eb689b5dc68765e17724f093ef312b7769290968610c4c6f2be0432d52d483ff15c0

    Score
    7/10

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral17behavioral18

    • Target

      noyjhoadw.exe

    • Size

      119KB

    • MD5

      65cc23e7237f3cff2d206a269793772e

    • SHA1

      fa3b354d2a7a4a673d4477ddcf1e1f2c93bb05fd

    • SHA256

      a57a8a3c3c073632337bb870db56538ef3d3cebd1ada4c3ed2397ea73a6923fb

    • SHA512

      7596ec7aeef7fcf446328dc928a835a54fa1060264b170baf2413252977bb0ac0b8da96867895530601cc098516e7bb82d1edbabfcfccd29d24619fe89f49613

    • SSDEEP

      3072:8Ho0VvS7fw67XojiwHjwlntccGGLz9VkYFP+WR9pLhbtnhSe2e2e2nw:41VvSM6ziiw0cMLzDj9VBne

    Score
    10/10
    vidardiscoverystealer
    behavioral19behavioral20

    • Target

      unins000.exe

    • Size

      5.3MB

    • MD5

      e94affb98148fc4e0cfb9a486bb37160

    • SHA1

      3cf9cbca48ed9e36a0ccd17cf97f6e4b96c14a24

    • SHA256

      bcbdb74f97092dfd68e7ec1d6770b6d1e1aae091f43bcebb0b7bce6c8188e310

    • SHA512

      82d01ed6fb9d0fcd88193ac01e262b2ac12b31a0826efb3b5cc0a7d3b710a502ea0d4b5b13b7a3701b27c29f181e066e71a7542b060c41fa93a1f33f701d4713

    • SSDEEP

      49152:siE8NvQCX7lF4RQSxPodbxsl7IwDksRinJwj9LaDpppz0ooEp333nX18954M/+df:siE8OQMlIwDkZqBLe333niUxt5fb9T/

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      use for bypassing taskmgr block.exe

    • Size

      4.3MB

    • MD5

      94c60e6704b5dd11a139f2ffebde9135

    • SHA1

      cd89f1cf9428a3eab554a3eb9ff6ca869e5bc368

    • SHA256

      106bf123359d03963b1df1011fb8560aaf1c5e811de775dce1d8a53758a69102

    • SHA512

      586bf326eae890379fcc7ad60e0a70384d069898aea46da32baf6bd60854df97b461019beaf17744ba3dfc0e70eb75970b977c30f035d296ae89763605d4ff6d

    • SSDEEP

      49152:cGNq7FBhpRWa3viMRIcDdxw6dXF3W1QrL1UDq3P8mlp4DOXUxm:cGejpRWafEkRW6OHmrZXt

    Score
    8/10
    discoverypersistence

    • Drops file in Drivers directory

    • Sets service image path in registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Tasks

static1

remotehoststealerremcosvidar
Score
10/10

behavioral1

discovery
Score
3/10

behavioral2

discovery
Score
3/10

behavioral3

xwormdiscoveryrattrojan
Score
10/10

behavioral4

xwormdiscoveryrattrojan
Score
10/10

behavioral5

execution
Score
8/10

behavioral6

execution
Score
8/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

xwormdiscoveryrattrojan
Score
10/10

behavioral10

xwormdiscoveryrattrojan
Score
10/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

remcosdiscoveryrat
Score
10/10

behavioral14

remcosdiscoveryrat
Score
10/10

behavioral15

execution
Score
10/10

behavioral16

execution
Score
10/10

behavioral17

Score
3/10

behavioral18

Score
7/10

behavioral19

vidardiscoverystealer
Score
10/10

behavioral20

vidardiscoverystealer
Score
10/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discoverypersistence
Score
8/10

behavioral24

discoverypersistence
Score
8/10