Overview

overview

10

Static

static

10

21f28d08dc...4a.exe

windows7-x64

10

21f28d08dc...4a.exe

windows10-2004-x64

10

21f66f607b...31.exe

windows7-x64

10

21f66f607b...31.exe

windows10-2004-x64

10

2225aa5547...66.exe

windows7-x64

10

2225aa5547...66.exe

windows10-2004-x64

10

229543f6c7...72.exe

windows7-x64

10

229543f6c7...72.exe

windows10-2004-x64

10

229ce4ad22...42.exe

windows7-x64

10

229ce4ad22...42.exe

windows10-2004-x64

10

22ce8222d2...5b.exe

windows7-x64

10

22ce8222d2...5b.exe

windows10-2004-x64

10

22e982850d...20.exe

windows7-x64

10

22e982850d...20.exe

windows10-2004-x64

10

22f097b0a0...91.exe

windows7-x64

1

22f097b0a0...91.exe

windows10-2004-x64

1

22f1f6e81e...ff.exe

windows7-x64

10

22f1f6e81e...ff.exe

windows10-2004-x64

10

231f156f9f...36.exe

windows7-x64

10

231f156f9f...36.exe

windows10-2004-x64

10

23f2f3a3cd...99.exe

windows7-x64

10

23f2f3a3cd...99.exe

windows10-2004-x64

10

23f9b03d2d...b9.exe

windows7-x64

10

23f9b03d2d...b9.exe

windows10-2004-x64

10

23ff6ba14d...91.exe

windows7-x64

10

23ff6ba14d...91.exe

windows10-2004-x64

10

241c1d05ad...47.exe

windows7-x64

10

241c1d05ad...47.exe

windows10-2004-x64

10

243242e581...fc.exe

windows7-x64

1

243242e581...fc.exe

windows10-2004-x64

1

24333d13e7...f5.exe

windows7-x64

10

24333d13e7...f5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    archive_9.zip

  • Size

    49.0MB

  • Sample

    250322-gwdcdstjs4

  • MD5

    900f25e26fe68be65ab8c7737b7d6ef4

  • SHA1

    02447d2ba8d6304c1b76d6f4acf42866edd8f6cd

  • SHA256

    add6234329d65ae878b6112d7d63d6641b842d28c0fa2fa5fbbb09a1b835bc0c

  • SHA512

    36fd78ffa372790d21dce85e2a6cae105a1cce4a92aa9f52c74625676018c25a97b94cb680f39dbf94051b3966e35c3be56dc3ed57c0785c8ad57b524da0c341

  • SSDEEP

    1572864:C9gd+BaNd33byiU4BBi7yyzjJOkxeQ6Q6:Ogd+Bam4BBYyyz0/Q6Q6

Score
10/10
asyncratdcratnjratremcosumbralxwormdefaulthackedhostcollectioncredential_accessdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352294120709816320/BHrRyBn4V7i1bP_r17TDUnQrDR-Nt8f9Cwlc27StMgKmxuDQUJKQDuQmJhn28FCc1hAO

https://discord.com/api/webhooks/1351960627916046548/sMCVB7IW3xO9VYRI077To74W-rwcNv72ZfhSKGZQEhb_LIo_Y_mlEqd4E1zkI_gaMve_

Extracted

Family

xworm

Version

5.0

C2

212.224.93.247:5605

45.154.98.175:6969

larger-pose.gl.at.ply.gg:5114
Mutex

9Ydyo7uUL1dNGSd5

Attributes
  • install_file

    USB.exe

aes.plain
aes.plain
aes.plain

Extracted

Family

xworm

C2

127.0.0.1:7000

Attributes
  • install_file

    USB.exe

Extracted

Family

asyncrat

Botnet

Default

C2

27.ip.gl.ply.gg:1365

Attributes
  • delay

    120

  • install

    true

  • install_file

    svchost.exe

  • install_folder

    %Temp%

aes.plain

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

hshshhsh

Attributes
  • delay

    1

  • install

    true

  • install_file

    6asd8sdad2183sada8213s.exe

  • install_folder

    %Temp%

  • pastebin_config

    https://pastebin.com/raw/LwwcrLg4

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

HacKed

C2

aali13212.ddns.net:1177

tibeve7951.ddns.net:1177
Mutex

6f3851bd96f8b2182bdbb36e94744d6e

Attributes
  • reg_key

    6f3851bd96f8b2182bdbb36e94744d6e

  • splitter

    |'|'|

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Boy12345#

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a.exe

    • Size

      231KB

    • MD5

      2f4ccda2d6d63cb86b7364cc8e5c95ec

    • SHA1

      12a830b8ae0530d7db30b6e50b0593c30625bdfd

    • SHA256

      21f28d08dc54803297d88496cbcf33b3314d19d8d526d5c30fcaf34e03e0f44a

    • SHA512

      0b6c799dd8e6b9c0ce84266de52492a3f705a15888720415fe479e3b03deadcde88b2fdd7c56320dea703d7eb5358edaa1fa5fb23f3ce09de296befc4966946f

    • SSDEEP

      6144:xloZM+rIkd8g+EtXHkv/iD4NVyQdLocD0abtIExXdb8e1mvoDi:DoZtL+EP8NVyQdLocD0abtIExtIoO

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      21f66f607b86f4db433d605d92d00531.exe

    • Size

      1.6MB

    • MD5

      21f66f607b86f4db433d605d92d00531

    • SHA1

      f40284412b592f66288656c9883f1c740bfd6fab

    • SHA256

      7ed1f0270ecdcff9af42e3f4e54689cb96ddbe26d370e848942d08dc3e5fa9ea

    • SHA512

      9543327ed0c632e39ad6204c1371ee9cfa152079c5fd01f3dc8aaf9b4bc992315cc05b4fc509b6e718116ff75785c525256e7570706b1b2ffb41a250ae89ab73

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    Score
    10/10
    dcratexecutioninfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral3behavioral4

    • Target

      2225aa5547f360f85048a5ead0ad3d980d89c0d213fb60544912c2eafa29c366.exe

    • Size

      1.9MB

    • MD5

      b9867e22e55a07a407707cab1812c4cf

    • SHA1

      d2a0e5476d102309a84319b95fa223aee8be2be9

    • SHA256

      2225aa5547f360f85048a5ead0ad3d980d89c0d213fb60544912c2eafa29c366

    • SHA512

      afc0dea22b1c6efd6c801b38cdce7df0693df5da59f046f90808698eada1f630224d524dd918505ecaa672c3f106d893d30828d05a4966a22f02b6328a63d859

    • SSDEEP

      24576:yD39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJWqwH6L:yF+QrFUBgq25eKu6L

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

    • Target

      229543f6c7784759f628c2f004852272.exe

    • Size

      32KB

    • MD5

      229543f6c7784759f628c2f004852272

    • SHA1

      feb176062c0bebc6bc91bf42b6fe7463d562c7ee

    • SHA256

      56d00fee64f6ab77f9b4dce829a8fa1e2d94ee968718a8ab007c8dd4144328b8

    • SHA512

      9058cd91a0c010e79db2ce3af2be6d1fc5cb29b1c80ba359df7d395119110636bff024c0fbb8514e93833aafe036c41355566f0a97ecd9c4cfee5f7ba5fe869e

    • SSDEEP

      768:SVa+vNtg+PB93Tw4eJdVFE9j1NOjhtbT:8vNtgw93U4e9FE9j3Ojjn

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm
    behavioral7behavioral8

    • Target

      229ce4ad220d6fc570b37e681d37ace4c11216f0a6a879701a174aac5c4c2142.exe

    • Size

      229KB

    • MD5

      18c63a90674dfd9ce20787856a3eab57

    • SHA1

      060399c3b7edbeaf034b8b1d40ea75e48b235bbb

    • SHA256

      229ce4ad220d6fc570b37e681d37ace4c11216f0a6a879701a174aac5c4c2142

    • SHA512

      5e1ef92fe3100720d4aa0550979b1af599c4c4f3c8431a697a315a00eeb556172f64249dad3346cc7f3d7c744db353872d80f97ca40c9a2810d85f35c1d3402e

    • SSDEEP

      6144:lloZM+rIkd8g+EtXHkv/iD40uHVywvrY/hkijD6nOrb8e1mki:noZtL+EP80uHVywvrY/hkijD6n8i

    Score
    10/10
    umbralstealer

    • Detect Umbral payload

    • Umbral

      Umbral stealer is an opensource moduler stealer written in C#.

      stealerumbral

    • Umbral family

      umbral

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral10behavioral9

    • Target

      22ce8222d21c2d1a2d81b3f6e624d15b.exe

    • Size

      38KB

    • MD5

      22ce8222d21c2d1a2d81b3f6e624d15b

    • SHA1

      98d0499b32aef982d39b2d5a4113a57cb8bd1ced

    • SHA256

      e35b3b47f0fd2ab198e36f23137e77916a238764575042e5e29a94032c865561

    • SHA512

      7376dd4267d88147c12d895e6db42b5954287c640f54bac637e0c1660f2d6003b712c90f7817dd944873d5a30b67967c2a34d22c7b053f5b5221dbed5f4a40cb

    • SSDEEP

      384:g4LzjSrmqX84FmLuaHORSjjvUuJLLERVLGpaVrxYBox+0/pkFMAzNLTOZwg3Ocvp:tuz84c7xwRjV+Box+TFv9H63OMhU4h

    Score
    10/10
    xwormpersistencerattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Drops startup file

    • Adds Run key to start application

      persistence
    behavioral11behavioral12

    • Target

      22e982850d21652c4a32b8c048f19b20.exe

    • Size

      2.0MB

    • MD5

      22e982850d21652c4a32b8c048f19b20

    • SHA1

      f72a3ab745d1a1113965bb89a342525f30d12408

    • SHA256

      a2f1356aa5651bea6110c7820ed856d54b26c8757af7a968383f167a46051c87

    • SHA512

      10c1db49c4bfa962c88b08764cc581bbaf34cf8ef9ef6ea106e6cd57b529fe588d1d3f6d70596b63224acc7f9efb06450bf5a0c3a23a88d60f00a96bf512641f

    • SSDEEP

      49152:TrYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:TdxVJC9UqRzsu+8N

    Score
    10/10
    dcratinfostealerrat

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat
    behavioral13behavioral14

    • Target

      22f097b0a0666aaffb57efec67cc00dc69e1b624bdfb4c7ea69627a07cf12691.exe

    • Size

      10.0MB

    • MD5

      2f183f2569cf644c1649069538674c24

    • SHA1

      24d882653c40a8c5f589e95dbb10cc3f3fb7e38a

    • SHA256

      22f097b0a0666aaffb57efec67cc00dc69e1b624bdfb4c7ea69627a07cf12691

    • SHA512

      26a63bae957c8cd75005e9f44d84aa8db79a7ce6ba6b850c2e50b6370f98160dac3e32b61892b2c03cc8088ac3ff02a61f3721e4733a3c44919c64a633ccce5c

    • SSDEEP

      6144:S0M4eIm9AUSKWWkxUGwwlHOAmcHIbOwaWNdKfiNSvxpgkjFYJ2+hlJeutRj7ZyTY:0Im9RS7WhjkH9mEIbl9NdRP7yHilv

    Score
    1/10
    behavioral15behavioral16

    • Target

      22f1f6e81e6bd6c160bd96c4742040f6d275ae30664f7074f3cfdba83bf356ff.exe

    • Size

      185KB

    • MD5

      719a3ff4f666ce23233f333c2e7bdf21

    • SHA1

      d242454a2618c1980e7f4e36d7713ade6caee366

    • SHA256

      22f1f6e81e6bd6c160bd96c4742040f6d275ae30664f7074f3cfdba83bf356ff

    • SHA512

      f0bbce39c99465f3aec2e89ba5c9ba2e7f323ba39afc7d85063ac40a5db45eeb767dead374852cf23f9ebf0daab41462d22ef07498d5885a212b54d94ba41b7f

    • SSDEEP

      3072:ygt14eIX61ZAzb49qO/BvF84NpVq8BxFRzaqF+o2GQJ7/JzqVfGvp:yS14eHZAzbc98gVqwlL

    Score
    10/10
    xwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral17behavioral18

    • Target

      231f156f9f4b328156bcb91a17f2a636.exe

    • Size

      3.0MB

    • MD5

      231f156f9f4b328156bcb91a17f2a636

    • SHA1

      4a152cf18df6e69aae5dc7188dc29cae5d58c062

    • SHA256

      703c6e6e766b8454ab69233c17b178c5e8cf75367a99195b00f969f0896ed15f

    • SHA512

      bbd3e640ad27a495b3c967c6d69951f061b70da3205416a547da735c003ada40e7ea64de0cf3652756f7cb07d957dfb00ee1e71d70ddddabd5a9e19546301136

    • SSDEEP

      49152:q/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:4SuMxAxKp+SDqHJq+zy86A

    Score
    10/10
    dcratdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Modifies WinLogon for persistence

      persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      defense_evasiontrojan
    behavioral19behavioral20

    • Target

      23f2f3a3cdfd8142daa853ff68baaf99.exe

    • Size

      63KB

    • MD5

      23f2f3a3cdfd8142daa853ff68baaf99

    • SHA1

      c31d3187ed6d0c22ea444251e6b4b457192f9ddb

    • SHA256

      a9acdad51d3734d9b20c064edd822c12ab0652bbc8fee7b614bf958a8dfc3f29

    • SHA512

      aaea969d2be58c8f90298261b059f2be39dad96700549251ad84d59f4eabfde104b5af512a281016acee9ac4261146fdea6a22e750e265cad144feb22a7d106a

    • SSDEEP

      768:ekh9PXn1w787gC8A+XvqazcBRL5JTk1+T4KSBGHmDbD/ph0oXLb8/odR2sYuSu3p:VR1gMdSJYUbdh9Lb8W2D5u35pqKmY7

    Score
    10/10
    asyncratdefaultrat

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

      ratasyncrat

    • Asyncrat family

      asyncrat

    • Async RAT payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    behavioral21behavioral22

    • Target

      23f9b03d2df5b98862c4a8786e7c60b9.exe

    • Size

      5.9MB

    • MD5

      23f9b03d2df5b98862c4a8786e7c60b9

    • SHA1

      e6fee163376604e213286ef0729e9d7b4333ff24

    • SHA256

      d8d10225adab6ebd9664f4ea8238a53b39ebe518df431ec221859221815b1177

    • SHA512

      f9dc66a4e101f09e2c59a364e439232fc89cd4040ffa920021bf3b93a5c45f6d74c03e88f029c5c7fa7a3b0685c6ace73340231faeb039d6f26408b7fab77461

    • SSDEEP

      98304:RyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw48:RyeU11Rvqmu8TWKnF6N/1wB

    Score
    10/10
    dcratdefense_evasionexecutioninfostealerrattrojan

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

      ratinfostealerdcrat

    • Dcrat family

      dcrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • UAC bypass

      defense_evasiontrojan

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

      defense_evasiontrojan

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral23behavioral24

    • Target

      23ff6ba14d3b8f4e26b767c0e34e371c9c3ebbd812a6ffcdda48d83582c2d591.exe

    • Size

      771KB

    • MD5

      949facd81347ec29747c2adfa6bb23e1

    • SHA1

      2d223fc2e830ea101e18306a06edb1f9b0b4a637

    • SHA256

      23ff6ba14d3b8f4e26b767c0e34e371c9c3ebbd812a6ffcdda48d83582c2d591

    • SHA512

      6dffa3be76f6b2fae9a8da26d392c4a7754e023bd8da993a45944da977e4b637abbf979cf10a9878d2867f2d0b4f1ff6c488671a45d64006b82dfcb348becfeb

    • SSDEEP

      6144:ntT/Yq3v9Auky+4dusAIFB++velibxPyp/64wjOjn6cB3rcnKq:h6u7+487IFjvelQypyfy7cnKq

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral25behavioral26

    • Target

      241c1d05adf291569126403b9a0e97c1c0beebbf68a5a4c9c6dad1a9f2f7a347.exe

    • Size

      954KB

    • MD5

      8e28a9dbca7a77cbe2d5d291da602d47

    • SHA1

      22863bec1dc0a03b07c963f1b451cca9a1a3afd4

    • SHA256

      241c1d05adf291569126403b9a0e97c1c0beebbf68a5a4c9c6dad1a9f2f7a347

    • SHA512

      df4c199824242535f6754b41093fd1cd98fae46c0d6f9fac9399a1ff91969e465a899e41156467b800238602fd271681a9e2a5250ba935a763013f092ddf96c1

    • SSDEEP

      12288:6z7IFjvelQypyfy7z6u7+4DvbMUsIvOcf:6z0FfMz6TEbMUs8OC

    Score
    10/10
    collectioncredential_accessdiscoverypersistencespywarestealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads WinSCP keys stored on the system

      Tries to access WinSCP stored sessions.

      spywarestealer

    • Reads data files stored by FTP clients

      Tries to access configuration files associated with programs like FileZilla.

      spywarestealer

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral27behavioral28

    • Target

      243242e5813fdbd8135ecb71808ecb70acf43e6c2bbfa8a0c5132c1fab67adfc.exe

    • Size

      620KB

    • MD5

      a1181c8e68dacbf00d61def015cf9941

    • SHA1

      9a800c404c8b9c64a53340a82c145b4b3eee0e2b

    • SHA256

      243242e5813fdbd8135ecb71808ecb70acf43e6c2bbfa8a0c5132c1fab67adfc

    • SHA512

      c0d18578d1ca9f19856d5e6ca2b153d08e293200c76c26b71c1703aed020fe9008c43439a7a0870dad08f74aad98fe9e4163b8d009fd162fe704e1cd54bba0b3

    • SSDEEP

      6144:uTAPGhnEZDTve6VlWT8b9cKKFuo0z86JqrbLUpeVCULsSIwdMlh7:MAOVE5PVle8L1qrTVlI

    Score
    1/10
    behavioral29behavioral30

    • Target

      24333d13e7b86f4e510460d2dd15aec988c73187602e961b434f12ee69f8e2f5.exe

    • Size

      867KB

    • MD5

      89cb35f716c4b65d8fb1118795c20b07

    • SHA1

      abf03fa78a97a1787bed6361d6ea862f3ed15221

    • SHA256

      24333d13e7b86f4e510460d2dd15aec988c73187602e961b434f12ee69f8e2f5

    • SHA512

      bb1b3104c3f28d863a5c984e19e747e73e57ff71febbfb758b25e4b89227e19fed199b979e020bce1019f47bd6d5f7aa77e8b52ad66db4d3b18a2d260652d395

    • SSDEEP

      12288:Hp+rgRNyA55IxJ+feDOa9rZj5XqkJD0QrOod7XxlW91RRzwAY3A7:HpugRNJI1D39dlfGQrFUxwAeA7

    Score
    10/10
    remcoshostdiscoverypersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral31behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

5
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

6
T1552

Credentials In Files

5
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Browser Information Discovery

1
T1217

Query Registry

5
T1012

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

5
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

ratdefaulthackedumbraldcratxwormasyncratnjrat
Score
10/10

behavioral1

umbralstealer
Score
10/10

behavioral2

umbralstealer
Score
10/10

behavioral3

dcratexecutioninfostealerrat
Score
10/10

behavioral4

dcratexecutioninfostealerrat
Score
10/10

behavioral5

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral6

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral7

xwormrattrojan
Score
10/10

behavioral8

xwormrattrojan
Score
10/10

behavioral9

umbralstealer
Score
10/10

behavioral10

umbralstealer
Score
10/10

behavioral11

xwormpersistencerattrojan
Score
10/10

behavioral12

xwormpersistencerattrojan
Score
10/10

behavioral13

dcratinfostealerrat
Score
10/10

behavioral14

dcratinfostealerrat
Score
10/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

xwormrattrojan
Score
10/10

behavioral18

xwormrattrojan
Score
10/10

behavioral19

dcratdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan
Score
10/10

behavioral20

dcratdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan
Score
10/10

behavioral21

asyncratdefaultrat
Score
10/10

behavioral22

asyncratdefaultrat
Score
10/10

behavioral23

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral24

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral25

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral26

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral27

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral28

collectioncredential_accessdiscoverypersistencespywarestealer
Score
10/10

behavioral29

Score
1/10

behavioral30

Score
1/10

behavioral31

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10

behavioral32

remcoshostdiscoverypersistenceratspywarestealer
Score
10/10