General
-
Target
archive_57.zip
-
Size
52.6MB
-
Sample
250322-g2knnatkt2
-
MD5
cfcf8a48803b5d7e40eb5caa48927daa
-
SHA1
cabb20fa9f372588726f179a4cbcd3411dc05f7d
-
SHA256
e5d28ec84e4b5f023e3f386cf7e0776850b67e2bad1299413885f3fdd757f58c
-
SHA512
e89d8de61dd1af53cfa72e9f640297dee76499ac22eb1384cad2bf89a03339db892bbf02d02ac0852eb9eba1333eb72d44d15bdf81acc22e781b7a5c6a43b21a
-
SSDEEP
786432:y6PaCRm//yxNN//yxNkfZ0iS1H5ZawLcBdQegJwI6T5o5IgJrOHxvnoa4b8/29tl:hLRGatawqhAVnIioVFORvozU2XSS
Malware Config
Extracted
njrat
Njrat 0.7 Golden By Hassan Amiri
topher
127.0.0.1:5552
Windows Update
-
reg_key
Windows Update
-
splitter
|Hassan|
Extracted
njrat
0.7d
HacKed
rantu.ddns.net:1177
2eb54f435f25eb81272f7f2f1d81c98d
-
reg_key
2eb54f435f25eb81272f7f2f1d81c98d
-
splitter
Y262SUCZ4UJJ
Extracted
xworm
5.0
27.ip.gl.ply.gg:4563
127.0.0.1:1603
morning-ultimately.gl.at.ply.gg:1603
MF6dhFMwgcljrzUB
-
Install_directory
%Public%
-
install_file
rozetka228.exe
-
telegram
https://api.telegram.org/bot7809829240:AAGhYA4SPUVIk4XcRD9Y4PjF3oUrHO6XJcM/sendMessage?chat_id=5838837539
Extracted
njrat
0.7d
XboxE
vncdz213.ddns.net:7500
e431bd5145cebea0bba46beb9fc0ccac
-
reg_key
e431bd5145cebea0bba46beb9fc0ccac
-
splitter
|'|'|
Extracted
xworm
3.1
-
install_file
Mason.exe
Extracted
njrat
im523
HacKed
127.0.0.1:8884
e74b08658c528d3d311506adb49a025a
-
reg_key
e74b08658c528d3d311506adb49a025a
-
splitter
|'|'|
Extracted
xworm
127.0.0.1:3775
discussion-temp.gl.at.ply.gg:3775
-
Install_directory
%Userprofile%
-
install_file
svchost.exe
Extracted
umbral
https://discord.com/api/webhooks/1351374291261718571/m5LIIWlqorXnzT48pitTuxfMUMetQJ52rJhbTqyDfIywVmJ3ZnM3iUIHTa3R0uTiMSFB
Extracted
remcos
1.7 Pro
Host
213.183.58.19:4000
systemcontrol.ddns.net:45000
systemcontrol2.ddns.net:45000
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
remcos.exe
-
copy_folder
remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
read.dat
-
keylog_flag
false
-
keylog_folder
CastC
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
remcos_sccafsoidz
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screens
-
screenshot_path
%AppData%
-
screenshot_time
1
-
startup_value
remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
e64b687735f08d83a710e6e493346feb.exe
-
Size
228KB
-
MD5
e64b687735f08d83a710e6e493346feb
-
SHA1
42330b4138ce8d74ddf94ccde3cf56678aea4c78
-
SHA256
c5527f31480ac48e227122ccc4239db78bf3094bbbba6f6e1dd6c30e788ac7ae
-
SHA512
f51fb52208429fc9b97881f23d34145bf06a9526827c1ce19240fbf21b1627d0d9b6012584c98ce432a72470fcf33a7e3ec344085f1c83822f29f6accb8846c1
-
SSDEEP
6144:RPTRtufdY7vzXpjYgV53GUEMlqJ8eFNL++y:MG7vzZXW+4NH
Score8/10-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
e65dc6f84e8571ee0c8d0df1c15ab10c168f9e8951c0e9d61bae78ca53bb1e10.exe
-
Size
2.0MB
-
MD5
7557bbff187c92eb67752330d640c103
-
SHA1
cb6d84da9ed514d1bbe319af28ae240752b18bfe
-
SHA256
e65dc6f84e8571ee0c8d0df1c15ab10c168f9e8951c0e9d61bae78ca53bb1e10
-
SHA512
0e3f9b5bc0accf6e7f18eaeab13a9be6c75eb4414d065aa58b3a2de05740241eea16aaff8fff3e047668a26651c6a27beabe6c2c76897d08ac69c1718b08c885
-
SSDEEP
49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
-
-
Target
e67e28bf496e7f9625bf94a126253aac.exe
-
Size
143KB
-
MD5
e67e28bf496e7f9625bf94a126253aac
-
SHA1
0fa0895e7332dcd5671e5debb90931bbb19653af
-
SHA256
4549878374bcf9d4b5b872e0423eed14635eb8c9317c9d3da1bff246c6034aae
-
SHA512
5a6bcf68b213b843ae26a783fa08cb20bca4f8b5ec84fb1e8eff20034da57072cae71950fdbeff99bb7f573d8752c2ba083052f39bf3a7730682e7cf255f32d3
-
SSDEEP
3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHVSsr:xP6/M+WLckOBhVmIYBr
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e699919d5d4dee2a70455861a6aeddad.exe
-
Size
43KB
-
MD5
e699919d5d4dee2a70455861a6aeddad
-
SHA1
bc692ff7f936247df00ca166feb3f905da04794b
-
SHA256
bbff4d03281a83df13c01bf5b2dbdb8c0510993c88954321c1483cf0ecd7fa56
-
SHA512
42985e0a96f854bad3739de65108723dbfcef4ff7cd2e54ce7970ca63c64eb47ff16c1a5f3be4f4b9ea0c83ad7ad41aaeaa60d6200da6d392c6182df618c6067
-
SSDEEP
384:3Zy+Uun1iDcsyEqt3ptKwQmMxGhOEEW9D9O5UE5QzwBlpJNakkjh/TzF7pWn/Ggy:JHnU4pEqt5tKhqhivQO+aO+L
Score3/10 -
-
-
Target
e70b65e1d80063b1fdfc5b439f8ec121.exe
-
Size
31KB
-
MD5
e70b65e1d80063b1fdfc5b439f8ec121
-
SHA1
e57593fb0e9a33cb82470b402d93ada69f6bde0d
-
SHA256
be397dc5de47dab7fe463cc85e584959daf279c54a14063432598b4f237e2c88
-
SHA512
d6acae917fc56eab81f496b3d06ff4f1ca3b07edbabb2f4de41cd2d98d480ca45f659ccf10d56ea3ffc61b71b77509877adf8557835c4e9d34b1f318c7a55248
-
SSDEEP
768:pj8p5d5rLmzxBuJJKye8nu4LPv67QmIDUu0tiNJCj:evKO+4jwQVkTj
Score10/10-
Njrat family
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
-
-
Target
e7193d347375dbb471134f1772410284.exe
-
Size
41KB
-
MD5
e7193d347375dbb471134f1772410284
-
SHA1
cb2e5a367488fc004eb6469cdc49d8278835efbf
-
SHA256
ff976ade83191c5dbd4a095a3755faeb92ea0fef940a9e191c1e92a2e448ba16
-
SHA512
f8ff2e91511d1060a414c029b7fe71009ce10e90dc4e0cdd66f1051cbfd01f7adb68b0843708dd8d6d86a846401d7a84f97528a74ea3b54fb35e7ec49c9e5550
-
SSDEEP
768:EqZAuyVGTZgZm5Plxjvr6F5Pa96NN106tOwhk33Qw:EqZAuy8ZYmBjeFY9oNS6tOwCgw
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
-
-
Target
e740e379c5b6d33ab42fea238735745f5965d78dfbca807496686cd94cfa57b9.exe
-
Size
1.7MB
-
MD5
acec4e3a3a6a8a6ce6aa2cd917bfb911
-
SHA1
87dbf1d948f71fb4b62b1c18289df01637bf76b9
-
SHA256
e740e379c5b6d33ab42fea238735745f5965d78dfbca807496686cd94cfa57b9
-
SHA512
2eecb7e1ebd091062edae5619e3850ed763432a9024a01046e63c3cfd8fef3f74f2e046e00959da67fc02aebb128bfef479600955a0153966ae84a37b3a877cc
-
SSDEEP
24576:hD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjom7:hp7E+QrFUBgq2v7
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
e751c36e12f90580dfa17b05b50269a413ae64807c60a7a0f1e58bcd38f6fb39.exe
-
Size
537KB
-
MD5
0ebe1df49d3810aa2345de3c1179c39f
-
SHA1
b1d6541cc7db9e3065fc81eb95207a588ee60ced
-
SHA256
e751c36e12f90580dfa17b05b50269a413ae64807c60a7a0f1e58bcd38f6fb39
-
SHA512
14d5906c3347b8f7d7debdc8fafaa33762f1f009057e7d3fc66f4347a8845662315b4c9b466219cd2d38b9ba19c6ab03147c4a530b577813179388428caf1cd1
-
SSDEEP
6144:V2uu5QRM/XRVQBk2WYjEve6VlWT8b96v0NwnSbaNCzP6akbLOdEcixR:V2f5VQUPVle80v7aUOdEcixR
Score1/10 -
-
-
Target
e7573bcf859fd192353ba79f43e0cca1.exe
-
Size
2.1MB
-
MD5
e7573bcf859fd192353ba79f43e0cca1
-
SHA1
92d91a8d995daa54c835839cc5ac0f3e91425a65
-
SHA256
f2815a4651b0b255e936709905c664b0c239f14523caf00879c6a9d6b66132f5
-
SHA512
a9e759da56ebc339cdecfecd64ee4aa3d7b26f3099d827a9afa1a35fc49b4bdc1c8e87ec0b255184080cb3d1966a6310d1f9f70621d2d63f1c3a81a0b422ee13
-
SSDEEP
49152:S/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf/:r
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
e787228874f75520e2a95df7768ba99b.exe
-
Size
984KB
-
MD5
e787228874f75520e2a95df7768ba99b
-
SHA1
03c4f765750cf2f42f3421f80353376a665ab9a5
-
SHA256
4acafc42154659f6098bf63fa5671b7ab8b72d27785ad7737112ec2dbbc32bf4
-
SHA512
48ea43fe8cfd0a7f5f9609ec30546ab3e9a356d0bb03327e9edf2899daf1251059ba8397061e560090c1eb33f9887ae7c23756fed263266311701f1f36c33fcf
-
SSDEEP
12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Drops file in System32 directory
-
-
-
Target
e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe
-
Size
1.6MB
-
MD5
d49f9f0f5730138879ce947728596fe0
-
SHA1
4757810dc00db1570dfd3508acaf6fd47b925e07
-
SHA256
e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b
-
SHA512
099508a93873b25601ab8e187cc731a00d6248455a3e60738bfc0f0d9eb23504f21cdb121b30fdd63d82eb5fd597f7f2a4629f489551dc7b08cf96acb68dbe9b
-
SSDEEP
24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
-
-
Target
e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe
-
Size
5.9MB
-
MD5
1e36a4648b29e6f1e182d0db0c45a3be
-
SHA1
934d5fe30ed8233d77098f1214d07b0d009e5371
-
SHA256
e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7
-
SHA512
ec6ddc3da4d504bac611d61d0e294f74e1092ce0d6afc1e56641ec99b44237af1fcbce374b39eb1b8aaf9e57de5997bd6917b38e1a5cf5c34f44e93e089061b2
-
SSDEEP
98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4H:RyeU11Rvqmu8TWKnF6N/1wK
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
e864953c3a95b063ace86177e1914753.exe
-
Size
5.9MB
-
MD5
e864953c3a95b063ace86177e1914753
-
SHA1
472bc71ef2e9c06ff3271fc0623f79a95ed2fe93
-
SHA256
d11fecef716ab9ab91bb2342635dd89113e0cce4313229abbc80462facaefad9
-
SHA512
f947ad181a748964673ce7fcff6ba8cb192079cf4f095ce60e44b4ff0a5bd241a06b0cca88899b91ad8064c3d000946a6da1bb7d7b61759b9a5888e8aa64a435
-
SSDEEP
98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4J:hyeU11Rvqmu8TWKnF6N/1wo
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
e8686658e2163a23de75fe75807e0d12.exe
-
Size
2.4MB
-
MD5
e8686658e2163a23de75fe75807e0d12
-
SHA1
13b967640328c617d05ddb7dc2e81f6c42b87a8c
-
SHA256
fc8ad2197b7f953a85e6333561efa2d83249e7926ece6d2e4dd4d5eedba3f4fc
-
SHA512
f318ca4f413301aceacfbd9f0fc3a6c2120df88a48fd545c14253ae534a782c2a0b1062bac5025f13c7a8d4b9965945574b7d606b4385b94e991cd9e75d9d4e6
-
SSDEEP
49152:6vFIuOCJ2YfXjBfAYYqY0vI6DOTwv1X8Sdh6KqQRc5L5B:ScmTVAYYqQ6DOTwNsSdh6Kfc5L5
Score3/10 -
-
-
Target
e8add323447be730ffb34507864ea6c71e16df32e6668ce7eb03839e3f0e49f4.exe
-
Size
2.0MB
-
MD5
bc3ad2f2cf115c59001b9218e1a7227e
-
SHA1
03661c865461ca2b330d82b11490126597ed9809
-
SHA256
e8add323447be730ffb34507864ea6c71e16df32e6668ce7eb03839e3f0e49f4
-
SHA512
16089aec2bfd51e733969205ef591c209fcb64bacc227f97e7146bfce9e2b4a318506b01c7eb4c6325c029262f653dda2a89b721396db3f26f1699a551d79a98
-
SSDEEP
49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N
Score10/10-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
DCRat payload
Detects payload of DCRat, commonly dropped by NSIS installers.
-
-
-
Target
e8cdbe10bd3316f1f52cfd57c431f914.exe
-
Size
33KB
-
MD5
e8cdbe10bd3316f1f52cfd57c431f914
-
SHA1
2e3d81ff5caff8984f182148d4dffd3c0d33bdf1
-
SHA256
99ae94311bb4cc0d06d8288999c1a12e527b2904c1fe5efcd826d485701fdc9f
-
SHA512
22154b49d3945f153bcb5488e05fa24c6ff57c45b64b57db1f48406cd7f7f41180afad0997421dcf3ea81666cf0b8e6343709a9fce01eba3c78d332f03208988
-
SSDEEP
384:cfP/SG1aTTcPTEUV75LC2SM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99Ikui8:u11weF3X42JiB70lVF49jVzOjhYbC
Score10/10-
Detect Xworm Payload
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
2Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1