General

  • Target

    archive_52.zip

  • Size

    71.3MB

  • Sample

    250322-g1ytwstks3

  • MD5

    39ff75e3321a7b25efbfe703c7de94ec

  • SHA1

    2963c4ae129ff1ebd7e3c65ee49a78739ffefa29

  • SHA256

    5de218dd00c5b6536a8ea373bbe9b9f2079f788a113b847fbd5c39932170a6e6

  • SHA512

    c319b1e4a03fa0288054c5bbfae1aec41752bcbb3459226c74f8b65f41eda917fb3f85afdd04c6de2e45191f24d38bb8142b3aca142a403b4aee01d3b00937d0

  • SSDEEP

    1572864:e00oDoLShEghAVnI4A46clWQdheid+6HL3eQpGaJOeZQk:woD8Sh94Z5l1TdLuQMaJOeZQk

Malware Config

Extracted

Family

xworm

C2

working-drain.gl.at.ply.gg:26732

127.0.0.1:7000

127.0.0.1:7777

Attributes
  • Install_directory

    %Temp%

  • install_file

    svchost.exe

Extracted

Family

njrat

Version

0.7d

Botnet

H2cKed bY TaKsHeR

C2

z88.ddns.net:5552

Mutex

63836c251750e788af0d3ead7ef4cada

Attributes
  • reg_key

    63836c251750e788af0d3ead7ef4cada

  • splitter

    |'|'|

Extracted

Family

revengerat

Botnet

Guest

C2

192.168.1.37:1111

Mutex

RV_MUTEX-aClgZblRvZwfR

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

192.168.134.128:6606

Mutex

231421421412

Attributes
  • delay

    3

  • install

    false

  • install_file

    RegAsm

  • install_folder

    %AppData%

aes.plain

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot8031163681:AAFH2N6BlT_hbhu2xWrmOscGz8sn0r9CGYs/

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d1773dbf85d917eb86780278256b5314.exe

    • Size

      224KB

    • MD5

      d1773dbf85d917eb86780278256b5314

    • SHA1

      921c853202eada39d4f6e5f4a26fbfc3ea3a204f

    • SHA256

      b0f7b41da01a331e50612953ec181657074d9eb942361fcf3e97a10b544f43e1

    • SHA512

      6ccee9720bd9a774f35943e56c930428d97c758afa4089912cb6d022311a7fc11c3b784b2c6d5e1bb630530f594041d48f67ae2834ea7eea024691b8b3345cf0

    • SSDEEP

      1536:LEG93312zK86AO5BZqoLUbhFLC4Y6T16OUmRk3Pk9vjUxyjq:IG93P8mWCUbhNQOjRkfk+f

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914.exe

    • Size

      1.6MB

    • MD5

      66d07aba299e88d9fd0562bdde9ef487

    • SHA1

      3187acda67ed22501f39f2b436d064faf9464045

    • SHA256

      d17833b5ad52144ac94274f3623e730f247aec0b6cd5d8cea6e910c898bac914

    • SHA512

      64ec5f70e2e57279280b2bd2aa6503138b362e2777be368037102acba1875361e8299460e6075e04aa9f754c9597d63c89d27b80f7b054c766675ef0e8aff875

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      d19713a05b239bb9c15e350f22976c60.exe

    • Size

      65KB

    • MD5

      d19713a05b239bb9c15e350f22976c60

    • SHA1

      b3653eabb3070cf31ffa1bfb4c728f0f8612248e

    • SHA256

      04607114ecf76a4fe8522ee8a9306c8110dd936c44adb5a3ff32cfcdc275a7d7

    • SHA512

      3ab552f2f642a15630e6b7acaf12040304c4c50a50b8eb004b79ca72cc90dc8b0d39ec33a290c1f5e0615ec8ba85dda3b073e31cca2691f642105d957715795a

    • SSDEEP

      1536:7ogg0w/xs0rkZ6NcWB5ZP6bEurlDvYS+56RGl4Ow5jw:7ohpsIkZeMbEyYKGeOwRw

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      d1a0b78620011cdf2da572aca494dc7841cb4ca79d073b671d522434894ab086.exe

    • Size

      880KB

    • MD5

      54fab8b19cff15f0431e5fb1415f5e35

    • SHA1

      22df553be076382ad84097e51a11ceea6110691f

    • SHA256

      d1a0b78620011cdf2da572aca494dc7841cb4ca79d073b671d522434894ab086

    • SHA512

      f2109f32d7e82b9d29c4e2f66281c758d8c397d71df0de4f775aeac69cd38962676a6c38f5ac606d579c651a160570a25259aa08f56d4f866c3234c4def42d62

    • SSDEEP

      12288:Sp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3Ar:SpugRNJI1D39dlfGQrFUxwAeAr

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      d1a62cde3f49e619203ecf47cdef2cb02a768451ece298279ccf098016885b76.exe

    • Size

      8.5MB

    • MD5

      772686c5dae13bb239cff557ad2ba438

    • SHA1

      41fddf88a72223ddd0dbd7cb0cf3f4efb7b73d85

    • SHA256

      d1a62cde3f49e619203ecf47cdef2cb02a768451ece298279ccf098016885b76

    • SHA512

      60de0c4cf3757c8f26241e8484c8f1255ad925a93f91c006b25ece59d3b83e8be20ab2ef6115cc351bc8e22302c7ba8540c17e1a7d1d073ac3c94d6d297307a9

    • SSDEEP

      196608:jxSZrxSZExSZfU+2at3DS7sJav43YmOZdqUW8wvuube:jxSZrxSZExSZfU+2aJDSgJnmqxHvbbe

    Score
    9/10
    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Target

      d1ae74abc0c8514f363c90e1a9b02aa4.exe

    • Size

      4KB

    • MD5

      d1ae74abc0c8514f363c90e1a9b02aa4

    • SHA1

      99e4302fdba2b02ff5eb064bf03809e868aadd2c

    • SHA256

      4d2d36942a7d28d621a8d859162237ce7d64b77cfebfd1b38027518efbc02374

    • SHA512

      3b682b2ceb8dc7bfad1b5ba183a048e3c8f6df3e5b9451242dab1c0448f0188f2ce25e256ff37592aff1ef3485d7414eb6b57c05f50f5b544749de944cb926ab

    • SSDEEP

      48:6Wm1tAqxZ8RxeOAkFJOcV4MKe28dMddQ6QeeLvqBH/uulB+hnqXSfbNtm:QijxvxVx9ZZnLvkRTkZzNt

    Score
    3/10
    • Target

      d1b8645939d08182047951aa23291fa83dff7f397528319b6be11cb24885598c.exe

    • Size

      2.0MB

    • MD5

      82416956a36751ccdbe03343574985e0

    • SHA1

      913a587fe1d30351697bf9d8a29e3e8cd278d1b0

    • SHA256

      d1b8645939d08182047951aa23291fa83dff7f397528319b6be11cb24885598c

    • SHA512

      acb815f9c30a0cb19befd324f56365e9782824bac2bee86def54dcd4fbb6d6b9b22b8e07d7141af0964ee4c66ac4bb164d7f7141fdaab03e40af390a6dbc6b5e

    • SSDEEP

      49152:zrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:zdxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      d1d65f62acce133f4e44c137020c260f.exe

    • Size

      81KB

    • MD5

      d1d65f62acce133f4e44c137020c260f

    • SHA1

      9126e9b831a05735529357e4af31ce0d628ebdb6

    • SHA256

      73ea9482307e2db84538256bcee3a207fbc8bf512715316c82f3b4cebe46d8b1

    • SHA512

      e3b370a46ca604ec0f3a9bf8e9a702560eea9068de1be244c7c33ca0a1f68b7f6ddade33656327a4b5f604b63e644b3be42dd719a04a5077230bfa4f964c23dc

    • SSDEEP

      1536:1Pf20zEmeuVcp0l1kc2XCSIQiCXu6yMWKV:Nfd9JVq0fkDzJiCXu6yMX

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Suspicious use of SetThreadContext

    • Target

      d1ec8c3742e4e01173d709df1353dc5d.exe

    • Size

      885KB

    • MD5

      d1ec8c3742e4e01173d709df1353dc5d

    • SHA1

      30c91b20f0ced765718860cbb2a9f39ca19cf20b

    • SHA256

      e50d685dc91548b2786aaff53e3b0e3a0779a6e41304a59607c042a2ad12482d

    • SHA512

      1ba0dc8ff62291ca5d6213a1b7b6e473ee34b3b5dd5e56d6e6880c9a954f4682144785bd43f5e0e357913e465f53b9e78424dc8bb4146b479303597ecd2e3b65

    • SSDEEP

      12288:+lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:+lNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      d21427a7a658882f85cfc0f0494d2337.exe

    • Size

      1.4MB

    • MD5

      d21427a7a658882f85cfc0f0494d2337

    • SHA1

      a3c7e31aa7beffc0b8c0fddbf140994ca07ed95f

    • SHA256

      2ef232eae08620c8b18e4a139d126d3da312053701aaebd3032fb638fb553eae

    • SHA512

      e606969e162951b2a93dcd2a7271cc423b65adcc8e9b66ee95d3e13bac0611714f93bcb7a74a309a8eabeb541c40bc106c5b458b8e14ac24c7dd5a7ccc6cfc88

    • SSDEEP

      24576:V8dvIOVmW6AbPsArkueRKmV3sNlHfiqJIM:VowONbkBuyKmBs7iM

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      d2181d98457190fa4bf7c49a700a5dfacba23a30d6377e5616aa9268c828dbce.exe

    • Size

      407KB

    • MD5

      0878aed9eae542df5c997f6c954daf59

    • SHA1

      19874d9b7ab3f44be913e05eaaff6ff629211987

    • SHA256

      d2181d98457190fa4bf7c49a700a5dfacba23a30d6377e5616aa9268c828dbce

    • SHA512

      cd9dda4b56e40c44296afd6f5533758946f2f8000147014b506cff185dafd5dc2ea853cff4825d8065ecbf052bbb83e366261961560100be1c6dc59d9e4495b6

    • SSDEEP

      6144:Ruvp7bVS6c8ZDYe6VlWT8b9zu53I4gEum4303NrrmRthb3qhoma:Ruh7bVS68PVle8UhgI3NnOlqhoma

    Score
    1/10
    • Target

      d22a2ed71bc83120e890a0b31d49984e.exe

    • Size

      97KB

    • MD5

      d22a2ed71bc83120e890a0b31d49984e

    • SHA1

      8f7d3b2560189b9b58b00b6778954cfa29872c48

    • SHA256

      ec73409a3ebab64f91ceeceda0abd110bd3c42e23ca4bbcb273c9fd71960006a

    • SHA512

      9fb25c1a5fbe5b9a43566912ebe31d52c1fe51a9d1405745dbe5ee12f3ad7aa4c2aa5b7b895c49f0711d7faa6044fb7888c36181fb9c1c0c0cb1d334bdfd086d

    • SSDEEP

      1536:aS8CnlE6aPvVVJQ/dejZ/uvOa3g7rFuqEWKFu027cQS:hZlmP3JjZ/uvLOrFuqZKFu027cQS

    Score
    10/10
    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Suspicious use of SetThreadContext

    • Target

      d23977a7d2d13a4481eabc68752bf8dd.exe

    • Size

      684KB

    • MD5

      d23977a7d2d13a4481eabc68752bf8dd

    • SHA1

      a1ce43fad2ea3f4ef2a325d2cb7332228064024c

    • SHA256

      20aed1d218b695d49699aa9afb2f2e036b24ecf0654ac8e1253a99037ec44c1e

    • SHA512

      2818b7a32c672b38f25d0bdcedb552854dd622192ad41129303dee7291d130cdcff84fade60c5a3081d36fa0a5bbaa1611064c822265eb71d675e9459bfcb39b

    • SSDEEP

      12288:/rjGofSN4zQZnMZiX9WnWvX9xxB1RcpOleKnS9PapcrQk:mof24cDvX9xPEi5k

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

    • Agenttesla family

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

    • Target

      d27cca271192c44b146218aa9a2e4926.exe

    • Size

      13.8MB

    • MD5

      d27cca271192c44b146218aa9a2e4926

    • SHA1

      ba6be730d1f0403b6041e0609b509afa2773146e

    • SHA256

      b666b92191e0a318a27efefcce8e1348a982587d2afdf4999019ba387353c8d0

    • SHA512

      efb7958822aad317457f7c6b85e5e73af315b854d67fda756ff033b23255ce543bf7ee488fa476114627bc84ab0d1d045d2fd45aa3e40bf5d6b91102afbd9363

    • SSDEEP

      393216:rGg4aKGg4aPGg4ayGg4a4Gg4aGGg4akGg4atGg4acGg4a0Gg4a0:LoPgWUSFai0

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Suspicious Office macro

      Office document equipped with macros.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      d28eec44852da7258b49d5816a13e6fbb31a34b744a327656950df56f3fef14b.exe

    • Size

      35.0MB

    • MD5

      341e0773e9deafbbce576955bf16c821

    • SHA1

      4b4acee76ba76b90ff457ba372628d687b7000a2

    • SHA256

      d28eec44852da7258b49d5816a13e6fbb31a34b744a327656950df56f3fef14b

    • SHA512

      48172c95eb1f57060cb52e23ffefeda32bff6002edab14912c84bcc753ac81125f903a82a6b337da980c96b486fbb4054fb9e8fbe298dde64aa77a1162d163e1

    • SSDEEP

      786432:4XuCHGJTk6G76kMNr0R7QMMnmAwgmC7XJTmfsxH6YxlUyS:5ZPkMYsMMnmABVm0J6YW

    Score
    7/10
    • Deletes itself

    • Drops startup file

    • Target

      d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d.exe

    • Size

      999KB

    • MD5

      7c3748401169a78459eb9603ff69e2b2

    • SHA1

      1a5d82422f062f1ce5d6eb3cb41c56d066f7981f

    • SHA256

      d2b881f2057c461af88b09179c137e9cf316304860ffe392700d143a4082fb1d

    • SHA512

      ec52f803bd6ff1fbcec6da1624a5fb93ebba87742fd3191b27fdf8e77bc7cbc8217542eacffb1f1f2c323a3956ef3037ef47595c9a00e43951172171275abc12

    • SSDEEP

      12288:/9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:/9pP5WS3lrMNyC9TJPCXBi

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

rath2cked by taksherstealerguestdefaultxwormdcratnjratrevengeratasyncrat
Score
10/10

behavioral1

xwormrattrojan
Score
10/10

behavioral2

xwormrattrojan
Score
10/10

behavioral3

dcratexecutioninfostealerrat
Score
10/10

behavioral4

dcratexecutioninfostealerrat
Score
10/10

behavioral5

xwormrattrojan
Score
10/10

behavioral6

xwormrattrojan
Score
10/10

behavioral7

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral8

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral9

defense_evasion
Score
9/10

behavioral10

defense_evasion
Score
9/10

behavioral11

Score
3/10

behavioral12

Score
3/10

behavioral13

dcratinfostealerrat
Score
10/10

behavioral14

dcratinfostealerrat
Score
10/10

behavioral15

discovery
Score
3/10

behavioral16

discovery
Score
10/10

behavioral17

dcratinfostealerrat
Score
10/10

behavioral18

dcratinfostealerrat
Score
10/10

behavioral19

discoverypersistence
Score
7/10

behavioral20

discoverypersistence
Score
7/10

behavioral21

Score
1/10

behavioral22

Score
1/10

behavioral23

discovery
Score
7/10

behavioral24

discovery
Score
10/10

behavioral25

discovery
Score
3/10

behavioral26

agenttesladiscoverykeyloggerspywarestealertrojan
Score
10/10

behavioral27

xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer
Score
10/10

behavioral28

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10

behavioral29

discovery
Score
7/10

behavioral30

discovery
Score
7/10

behavioral31

dcratinfostealerpersistencerat
Score
10/10

behavioral32

dcratinfostealerpersistencerat
Score
10/10