General

  • Target

    archive_57.zip

  • Size

    52.6MB

  • Sample

    250322-g2knnatkt2

  • MD5

    cfcf8a48803b5d7e40eb5caa48927daa

  • SHA1

    cabb20fa9f372588726f179a4cbcd3411dc05f7d

  • SHA256

    e5d28ec84e4b5f023e3f386cf7e0776850b67e2bad1299413885f3fdd757f58c

  • SHA512

    e89d8de61dd1af53cfa72e9f640297dee76499ac22eb1384cad2bf89a03339db892bbf02d02ac0852eb9eba1333eb72d44d15bdf81acc22e781b7a5c6a43b21a

  • SSDEEP

    786432:y6PaCRm//yxNN//yxNkfZ0iS1H5ZawLcBdQegJwI6T5o5IgJrOHxvnoa4b8/29tl:hLRGatawqhAVnIioVFORvozU2XSS

Malware Config

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

topher

C2

127.0.0.1:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

rantu.ddns.net:1177

Mutex

2eb54f435f25eb81272f7f2f1d81c98d

Attributes
  • reg_key

    2eb54f435f25eb81272f7f2f1d81c98d

  • splitter

    Y262SUCZ4UJJ

Extracted

Family

xworm

Version

5.0

C2

27.ip.gl.ply.gg:4563

127.0.0.1:1603

morning-ultimately.gl.at.ply.gg:1603

Mutex

MF6dhFMwgcljrzUB

Attributes
  • Install_directory

    %Public%

  • install_file

    rozetka228.exe

  • telegram

    https://api.telegram.org/bot7809829240:AAGhYA4SPUVIk4XcRD9Y4PjF3oUrHO6XJcM/sendMessage?chat_id=5838837539

aes.plain
aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

XboxE

C2

vncdz213.ddns.net:7500

Mutex

e431bd5145cebea0bba46beb9fc0ccac

Attributes
  • reg_key

    e431bd5145cebea0bba46beb9fc0ccac

  • splitter

    |'|'|

Extracted

Family

xworm

Version

3.1

Attributes
  • install_file

    Mason.exe

Extracted

Family

njrat

Version

im523

Botnet

HacKed

C2

127.0.0.1:8884

Mutex

e74b08658c528d3d311506adb49a025a

Attributes
  • reg_key

    e74b08658c528d3d311506adb49a025a

  • splitter

    |'|'|

Extracted

Family

xworm

C2

127.0.0.1:3775

discussion-temp.gl.at.ply.gg:3775

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1351374291261718571/m5LIIWlqorXnzT48pitTuxfMUMetQJ52rJhbTqyDfIywVmJ3ZnM3iUIHTa3R0uTiMSFB

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      e64b687735f08d83a710e6e493346feb.exe

    • Size

      228KB

    • MD5

      e64b687735f08d83a710e6e493346feb

    • SHA1

      42330b4138ce8d74ddf94ccde3cf56678aea4c78

    • SHA256

      c5527f31480ac48e227122ccc4239db78bf3094bbbba6f6e1dd6c30e788ac7ae

    • SHA512

      f51fb52208429fc9b97881f23d34145bf06a9526827c1ce19240fbf21b1627d0d9b6012584c98ce432a72470fcf33a7e3ec344085f1c83822f29f6accb8846c1

    • SSDEEP

      6144:RPTRtufdY7vzXpjYgV53GUEMlqJ8eFNL++y:MG7vzZXW+4NH

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      e65dc6f84e8571ee0c8d0df1c15ab10c168f9e8951c0e9d61bae78ca53bb1e10.exe

    • Size

      2.0MB

    • MD5

      7557bbff187c92eb67752330d640c103

    • SHA1

      cb6d84da9ed514d1bbe319af28ae240752b18bfe

    • SHA256

      e65dc6f84e8571ee0c8d0df1c15ab10c168f9e8951c0e9d61bae78ca53bb1e10

    • SHA512

      0e3f9b5bc0accf6e7f18eaeab13a9be6c75eb4414d065aa58b3a2de05740241eea16aaff8fff3e047668a26651c6a27beabe6c2c76897d08ac69c1718b08c885

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      e67e28bf496e7f9625bf94a126253aac.exe

    • Size

      143KB

    • MD5

      e67e28bf496e7f9625bf94a126253aac

    • SHA1

      0fa0895e7332dcd5671e5debb90931bbb19653af

    • SHA256

      4549878374bcf9d4b5b872e0423eed14635eb8c9317c9d3da1bff246c6034aae

    • SHA512

      5a6bcf68b213b843ae26a783fa08cb20bca4f8b5ec84fb1e8eff20034da57072cae71950fdbeff99bb7f573d8752c2ba083052f39bf3a7730682e7cf255f32d3

    • SSDEEP

      3072:xPd4n/M+WLcilrpgGH/GwY87mVmIXhIHVSsr:xP6/M+WLckOBhVmIYBr

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      e699919d5d4dee2a70455861a6aeddad.exe

    • Size

      43KB

    • MD5

      e699919d5d4dee2a70455861a6aeddad

    • SHA1

      bc692ff7f936247df00ca166feb3f905da04794b

    • SHA256

      bbff4d03281a83df13c01bf5b2dbdb8c0510993c88954321c1483cf0ecd7fa56

    • SHA512

      42985e0a96f854bad3739de65108723dbfcef4ff7cd2e54ce7970ca63c64eb47ff16c1a5f3be4f4b9ea0c83ad7ad41aaeaa60d6200da6d392c6182df618c6067

    • SSDEEP

      384:3Zy+Uun1iDcsyEqt3ptKwQmMxGhOEEW9D9O5UE5QzwBlpJNakkjh/TzF7pWn/Ggy:JHnU4pEqt5tKhqhivQO+aO+L

    Score
    3/10
    • Target

      e70b65e1d80063b1fdfc5b439f8ec121.exe

    • Size

      31KB

    • MD5

      e70b65e1d80063b1fdfc5b439f8ec121

    • SHA1

      e57593fb0e9a33cb82470b402d93ada69f6bde0d

    • SHA256

      be397dc5de47dab7fe463cc85e584959daf279c54a14063432598b4f237e2c88

    • SHA512

      d6acae917fc56eab81f496b3d06ff4f1ca3b07edbabb2f4de41cd2d98d480ca45f659ccf10d56ea3ffc61b71b77509877adf8557835c4e9d34b1f318c7a55248

    • SSDEEP

      768:pj8p5d5rLmzxBuJJKye8nu4LPv67QmIDUu0tiNJCj:evKO+4jwQVkTj

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      e7193d347375dbb471134f1772410284.exe

    • Size

      41KB

    • MD5

      e7193d347375dbb471134f1772410284

    • SHA1

      cb2e5a367488fc004eb6469cdc49d8278835efbf

    • SHA256

      ff976ade83191c5dbd4a095a3755faeb92ea0fef940a9e191c1e92a2e448ba16

    • SHA512

      f8ff2e91511d1060a414c029b7fe71009ce10e90dc4e0cdd66f1051cbfd01f7adb68b0843708dd8d6d86a846401d7a84f97528a74ea3b54fb35e7ec49c9e5550

    • SSDEEP

      768:EqZAuyVGTZgZm5Plxjvr6F5Pa96NN106tOwhk33Qw:EqZAuy8ZYmBjeFY9oNS6tOwCgw

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Target

      e740e379c5b6d33ab42fea238735745f5965d78dfbca807496686cd94cfa57b9.exe

    • Size

      1.7MB

    • MD5

      acec4e3a3a6a8a6ce6aa2cd917bfb911

    • SHA1

      87dbf1d948f71fb4b62b1c18289df01637bf76b9

    • SHA256

      e740e379c5b6d33ab42fea238735745f5965d78dfbca807496686cd94cfa57b9

    • SHA512

      2eecb7e1ebd091062edae5619e3850ed763432a9024a01046e63c3cfd8fef3f74f2e046e00959da67fc02aebb128bfef479600955a0153966ae84a37b3a877cc

    • SSDEEP

      24576:hD39v74lfGQrFUspugRNJI2DJ53J/J/L5dJPjom7:hp7E+QrFUBgq2v7

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      e751c36e12f90580dfa17b05b50269a413ae64807c60a7a0f1e58bcd38f6fb39.exe

    • Size

      537KB

    • MD5

      0ebe1df49d3810aa2345de3c1179c39f

    • SHA1

      b1d6541cc7db9e3065fc81eb95207a588ee60ced

    • SHA256

      e751c36e12f90580dfa17b05b50269a413ae64807c60a7a0f1e58bcd38f6fb39

    • SHA512

      14d5906c3347b8f7d7debdc8fafaa33762f1f009057e7d3fc66f4347a8845662315b4c9b466219cd2d38b9ba19c6ab03147c4a530b577813179388428caf1cd1

    • SSDEEP

      6144:V2uu5QRM/XRVQBk2WYjEve6VlWT8b96v0NwnSbaNCzP6akbLOdEcixR:V2f5VQUPVle80v7aUOdEcixR

    Score
    1/10
    • Target

      e7573bcf859fd192353ba79f43e0cca1.exe

    • Size

      2.1MB

    • MD5

      e7573bcf859fd192353ba79f43e0cca1

    • SHA1

      92d91a8d995daa54c835839cc5ac0f3e91425a65

    • SHA256

      f2815a4651b0b255e936709905c664b0c239f14523caf00879c6a9d6b66132f5

    • SHA512

      a9e759da56ebc339cdecfecd64ee4aa3d7b26f3099d827a9afa1a35fc49b4bdc1c8e87ec0b255184080cb3d1966a6310d1f9f70621d2d63f1c3a81a0b422ee13

    • SSDEEP

      49152:S/FBVWix5TC0/5ljAhscAWlMym/HXR1supwJ4Cf/:r

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      e787228874f75520e2a95df7768ba99b.exe

    • Size

      984KB

    • MD5

      e787228874f75520e2a95df7768ba99b

    • SHA1

      03c4f765750cf2f42f3421f80353376a665ab9a5

    • SHA256

      4acafc42154659f6098bf63fa5671b7ab8b72d27785ad7737112ec2dbbc32bf4

    • SHA512

      48ea43fe8cfd0a7f5f9609ec30546ab3e9a356d0bb03327e9edf2899daf1251059ba8397061e560090c1eb33f9887ae7c23756fed263266311701f1f36c33fcf

    • SSDEEP

      12288:LzZvuvewk/0pPPXA5q/TQ9+n95vV25gnwHexSDwbwvDxlpaS98IUNldnd65EgF1s:LzZvuGD2PvA5YxwmbZB6Uv

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Drops file in System32 directory

    • Target

      e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b.exe

    • Size

      1.6MB

    • MD5

      d49f9f0f5730138879ce947728596fe0

    • SHA1

      4757810dc00db1570dfd3508acaf6fd47b925e07

    • SHA256

      e80000db8c58338a7944e72e30e5ece016290acb6bd9a2129e796ec576da934b

    • SHA512

      099508a93873b25601ab8e187cc731a00d6248455a3e60738bfc0f0d9eb23504f21cdb121b30fdd63d82eb5fd597f7f2a4629f489551dc7b08cf96acb68dbe9b

    • SSDEEP

      24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7.exe

    • Size

      5.9MB

    • MD5

      1e36a4648b29e6f1e182d0db0c45a3be

    • SHA1

      934d5fe30ed8233d77098f1214d07b0d009e5371

    • SHA256

      e82aaf456af5fe5a644f8dc0d34133c9b37337bb5ab028fc75ab448a30cae0e7

    • SHA512

      ec6ddc3da4d504bac611d61d0e294f74e1092ce0d6afc1e56641ec99b44237af1fcbce374b39eb1b8aaf9e57de5997bd6917b38e1a5cf5c34f44e93e089061b2

    • SSDEEP

      98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4H:RyeU11Rvqmu8TWKnF6N/1wK

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      e864953c3a95b063ace86177e1914753.exe

    • Size

      5.9MB

    • MD5

      e864953c3a95b063ace86177e1914753

    • SHA1

      472bc71ef2e9c06ff3271fc0623f79a95ed2fe93

    • SHA256

      d11fecef716ab9ab91bb2342635dd89113e0cce4313229abbc80462facaefad9

    • SHA512

      f947ad181a748964673ce7fcff6ba8cb192079cf4f095ce60e44b4ff0a5bd241a06b0cca88899b91ad8064c3d000946a6da1bb7d7b61759b9a5888e8aa64a435

    • SSDEEP

      98304:hyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4J:hyeU11Rvqmu8TWKnF6N/1wo

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      e8686658e2163a23de75fe75807e0d12.exe

    • Size

      2.4MB

    • MD5

      e8686658e2163a23de75fe75807e0d12

    • SHA1

      13b967640328c617d05ddb7dc2e81f6c42b87a8c

    • SHA256

      fc8ad2197b7f953a85e6333561efa2d83249e7926ece6d2e4dd4d5eedba3f4fc

    • SHA512

      f318ca4f413301aceacfbd9f0fc3a6c2120df88a48fd545c14253ae534a782c2a0b1062bac5025f13c7a8d4b9965945574b7d606b4385b94e991cd9e75d9d4e6

    • SSDEEP

      49152:6vFIuOCJ2YfXjBfAYYqY0vI6DOTwv1X8Sdh6KqQRc5L5B:ScmTVAYYqQ6DOTwNsSdh6Kfc5L5

    Score
    3/10
    • Target

      e8add323447be730ffb34507864ea6c71e16df32e6668ce7eb03839e3f0e49f4.exe

    • Size

      2.0MB

    • MD5

      bc3ad2f2cf115c59001b9218e1a7227e

    • SHA1

      03661c865461ca2b330d82b11490126597ed9809

    • SHA256

      e8add323447be730ffb34507864ea6c71e16df32e6668ce7eb03839e3f0e49f4

    • SHA512

      16089aec2bfd51e733969205ef591c209fcb64bacc227f97e7146bfce9e2b4a318506b01c7eb4c6325c029262f653dda2a89b721396db3f26f1699a551d79a98

    • SSDEEP

      49152:7rYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:7dxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      e8cdbe10bd3316f1f52cfd57c431f914.exe

    • Size

      33KB

    • MD5

      e8cdbe10bd3316f1f52cfd57c431f914

    • SHA1

      2e3d81ff5caff8984f182148d4dffd3c0d33bdf1

    • SHA256

      99ae94311bb4cc0d06d8288999c1a12e527b2904c1fe5efcd826d485701fdc9f

    • SHA512

      22154b49d3945f153bcb5488e05fa24c6ff57c45b64b57db1f48406cd7f7f41180afad0997421dcf3ea81666cf0b8e6343709a9fce01eba3c78d332f03208988

    • SSDEEP

      384:cfP/SG1aTTcPTEUV75LC2SM42pfL3iB7OxVqWqKRApkFXBLTsOZwpGN2v99Ikui8:u11weF3X42JiB70lVF49jVzOjhYbC

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

MITRE ATT&CK Enterprise v15

Tasks

static1

rattopherhackedxboxedcratnjratxwormumbral
Score
10/10

behavioral1

discoveryexecutionspywarestealer
Score
8/10

behavioral2

discoveryexecutionspywarestealer
Score
8/10

behavioral3

dcratinfostealerrat
Score
10/10

behavioral4

dcratinfostealerrat
Score
10/10

behavioral5

remcoshostdiscoverypersistencerat
Score
10/10

behavioral6

remcoshostdiscoverypersistencerat
Score
10/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

njrathackeddefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral10

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral11

xwormrattrojan
Score
10/10

behavioral12

xwormrattrojan
Score
10/10

behavioral13

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral14

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

Score
7/10

behavioral18

Score
7/10

behavioral19

dcratinfostealerpersistencerat
Score
10/10

behavioral20

dcratinfostealerpersistencerat
Score
10/10

behavioral21

dcratexecutioninfostealerrat
Score
10/10

behavioral22

dcratexecutioninfostealerrat
Score
10/10

behavioral23

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral24

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral25

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral26

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

dcratinfostealerrat
Score
10/10

behavioral30

dcratinfostealerrat
Score
10/10

behavioral31

xwormrattrojan
Score
10/10

behavioral32

xwormrattrojan
Score
10/10