General

  • Target

    archive_10.zip

  • Size

    44.3MB

  • Sample

    250322-gwfgrayzcx

  • MD5

    327cd7e2f6679f46867d0e205d431a0b

  • SHA1

    deb1c4adfc033e444be4df64771a8be96f933f78

  • SHA256

    b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f

  • SHA512

    9df171e9b1c0adbb814619b1b0aab80d94bb101767b41199f589294b96df6b083d5ac88b62b1c67d619afb3be0005ad0781a2931bf75617dd2a002b686f49b34

  • SSDEEP

    786432:d//yxNPo+pxPeFhJi2EeHz06NFV6lgwOY1kkvPaukxh2GO2xvtMRe4jtwbFYn/fg:ZaZcJFF4lcAC0k4jtEW/fgiUdl

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7552210369:AAGOe83VIQXWkppjzFCQkkZxhmaRRArf0EQ/sendMessage?chat_id=7623088285

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

xworm

Version

5.0

C2

147.185.221.26:20448

Mutex

PDnMp26nAxNNrxwQ

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

njrat

Version

0.7d

Botnet

tnakt fik

C2

tnaktfik.ddns.net:1177

Mutex

6ccf4ee47554289234f96881f6819ddb

Attributes
  • reg_key

    6ccf4ee47554289234f96881f6819ddb

  • splitter

    |'|'|

Extracted

Family

xworm

C2

w-bridal.gl.at.ply.gg:48095

Attributes
  • Install_directory

    %Temp%

  • install_file

    Sys32.exe

Extracted

Family

umbral

C2

https://discord.com/api/webhooks/1352290842009796729/G8yLk-T0sLJfX9oqfGwDEn679VpKN-s9_di6iL35v7J0EuZOmgrqGv_vPjXY_ihAjPfX

https://canary.discord.com/api/webhooks/1345453309598629928/2HBSdVwTGkqEcvX_fE2qpKGG7vtM8kFpFQOMzfDnYxxXjd0yqm3Ub9cKP8ZoD-miqv3n

Extracted

Family

njrat

Version

im523

Botnet

Nursultan.exe

C2

127.0.0.1:5552

Mutex

351053b9b245fb5b8b34d4b6a63075b8

Attributes
  • reg_key

    351053b9b245fb5b8b34d4b6a63075b8

  • splitter

    |'|'|

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

systemcontrol.ddns.net:45000

systemcontrol2.ddns.net:45000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    OfficeUpgrade.exe

  • copy_folder

    OfficeUpgrade

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    Upgrader.dat

  • keylog_flag

    false

  • keylog_folder

    Upgrader

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    req_khauflaoyr

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    OfficeUpgrade

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

njrat

Version

0.7d

Botnet

neuf

C2

doddyfire.linkpc.net:10000

Mutex

e1a87040f2026369a233f9ae76301b7b

Attributes
  • reg_key

    e1a87040f2026369a233f9ae76301b7b

  • splitter

    |'|'|

Extracted

Family

vipkeylogger

Credentials

Extracted

Family

nanocore

Version

1.2.2.0

C2

sysupdate24.ddns.net:45400

Mutex

ae82ab7f-db07-49ee-9d2b-76075d76f37f

Attributes
  • activate_away_mode

    true

  • backup_connection_host

  • backup_dns_server

  • buffer_size

    65535

  • build_time

    2020-04-24T17:41:53.492468936Z

  • bypass_user_account_control

    true

  • bypass_user_account_control_data

  • clear_access_control

    true

  • clear_zone_identifier

    false

  • connect_delay

    4000

  • connection_port

    45400

  • default_group

    Default

  • enable_debug_mode

    true

  • gc_threshold

    1.048576e+07

  • keep_alive_timeout

    30000

  • keyboard_logging

    false

  • lan_timeout

    2500

  • max_packet_size

    1.048576e+07

  • mutex

    ae82ab7f-db07-49ee-9d2b-76075d76f37f

  • mutex_timeout

    5000

  • prevent_system_sleep

    false

  • primary_connection_host

    sysupdate24.ddns.net

  • primary_dns_server

  • request_elevation

    true

  • restart_delay

    5000

  • run_delay

    0

  • run_on_startup

    true

  • set_critical_process

    true

  • timeout_interval

    5000

  • use_custom_dns_server

    false

  • version

    1.2.2.0

  • wan_timeout

    8000

Targets

    • Target

      2695e9c3407b633d957cf77bb878f5f2.exe

    • Size

      5.9MB

    • MD5

      2695e9c3407b633d957cf77bb878f5f2

    • SHA1

      ec0caded0b9a4b143a0e6793d21fdf4eccfa8484

    • SHA256

      e4fd314579515e6065e60382d2f266607ba872608bb0c9e29a6fda8b9c702383

    • SHA512

      b3eeb4d3f9744c8a0b8144e1b3253a1ef3644b331bee8900d9cfdb86d019303f3dca08ee3b2e620f6ef6829dd90d1b356a26ac58f016cbec655a35dd6474906f

    • SSDEEP

      98304:xyeUxPQ0JMLyWIvqrhH05I8TderKjHDFUh9HkEXJfw4l:xyeU11Rvqmu8TWKnF6N/1wg

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Checks whether UAC is enabled

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a.exe

    • Size

      256KB

    • MD5

      f8711c1a5b36f91d9c58dd4f367e40d1

    • SHA1

      750ee2c764fcdd0f6bd986eca9caa3795469d32a

    • SHA256

      26988aa536baefc2f8043cdb0d2e49e800d009b362f5cbd38692511fc5198f1a

    • SHA512

      e9cd3add054705913fa59e6ad01e583c24cc1319b8c592afa02cf289de68290359c22720a8c3970691a59a46eaf13eda88bc0a600ab654463fc60da36ea3ea3c

    • SSDEEP

      6144:85p178U0MURaGyNXYWQzHazRfXrwSRnWwhrQ+q:EeGUA5YZazpXUmZhlq

    • NanoCore

      NanoCore is a remote access tool (RAT) with a variety of capabilities.

    • Nanocore family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

    • Target

      26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae.exe

    • Size

      27.2MB

    • MD5

      033e360ce118a4bdb0b816f7c68de8cf

    • SHA1

      286a289a4e92105656ee1fcccac5e0814c0d24bc

    • SHA256

      26c11dac9dc4d37ddb0c44f4fba7be9fe1bf84f46cc3f369c46b099fbef02bae

    • SHA512

      786f1898f09d6eb643ddd04922ebf7f0e432cbd7cbe428325eeea1553a3f8f8fe29c8fa1223f8323f4dd84fa0d7d923fd496d892b918475c10eb915928f6ae70

    • SSDEEP

      12288:nssssDsssssssssssssssssssssssssssssssssssssbsssssssssssssssssssD:/

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Target

      26cf08ffef5a40b6849f2afec99ac8d4.exe

    • Size

      175KB

    • MD5

      26cf08ffef5a40b6849f2afec99ac8d4

    • SHA1

      86c276b3569218b1f1cb9f490d4631017aa85c52

    • SHA256

      ca0d16b1805984d77294ae4cbd3fc5c3c9d33cf60bc35d3c12e2b60245331521

    • SHA512

      9b31ae192c6c0ed9b4fafc751212c94cd7f566e4d82191ab1dfb42a5d5ff57712972dca2449e3e6742e5aa306c33953b1c8f77c7d9b16f140fe78a6187028680

    • SSDEEP

      3072:/e8oX8Sb5KcXrtkkXmf/bDsvqtU+lLToChAP0UZ0b2gT8fwAqE+Wpor:KXtb5KcXr7XmfgqtjhAxZ0b2p

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Asyncrat family

    • StormKitty

      StormKitty is an open source info stealer written in C#.

    • StormKitty payload

    • Stormkitty family

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Drops desktop.ini file(s)

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Looks up geolocation information via web service

      Uses a legitimate geolocation service to find the infected system's geolocation info.

    • Target

      2731468d18a92b65fce6a2c8a04538e0.exe

    • Size

      2.0MB

    • MD5

      2731468d18a92b65fce6a2c8a04538e0

    • SHA1

      1777e3398d8716138d84b29d66a9428d6b285766

    • SHA256

      876eb243829a1a476315a159a2768ec07505d29aabc5234a0dcc877d8fa8d644

    • SHA512

      deed4e0b686914b866144ef7d9ab190d21a2f430d338c666db6831e98301a10005c5128d3f082caeae05de94d24009a74dd8d81c1f64e0fd1c10d858d9a5aa72

    • SSDEEP

      49152:brYU+Yy4J8jao9UVlWAOjhRzsiYHjo++xTN:bdxVJC9UqRzsu+8N

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Target

      2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe

    • Size

      15.2MB

    • MD5

      6d2849c0ff4b4cf3ef02f4fde0d92351

    • SHA1

      1173bd4bd5c3c107ac9cb9b6b92379b85d0ace71

    • SHA256

      2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f

    • SHA512

      553b31e4c338239be5aca5b58722432c7e9cb7dfa96950952035a5f316f44127c4cec3978db80312b80196be319f0ca920a687204de3367a0a10d82728266743

    • SSDEEP

      393216:LGg4aQGg4aDGg4aRGg4aTGg4akGg4auGg4awGg4aDGg4a1Gg4aPGg4at:r+zZDSsezdPt

    • Xred

      Xred is backdoor written in Delphi.

    • Xred family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada.exe

    • Size

      135KB

    • MD5

      955370c2069f2a6d1e61acf033cea200

    • SHA1

      d6b5e253980b7744802e5fe3c1d1b2b9ce0572b3

    • SHA256

      275ed71ebe32729141c2916b8abcca8763d60d2a4af82de387b9979a37495ada

    • SHA512

      373ceafa1a982eff2f0bf93c728f7e1fab4df393e600aa5bcb4939eae8ad7959713cda9fa22a379a507431d6c2ea9bbccb4f254fdac434ec4f0e3c7aa9b9387a

    • SSDEEP

      1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjK6:xPd4n/M+WLcilrpgGH/GwY87mVmIXt0Z

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      27603eafb6dd5000efc17b4d67e142aa.exe

    • Size

      999KB

    • MD5

      27603eafb6dd5000efc17b4d67e142aa

    • SHA1

      bb6cfbad15876e4d37a7355618d6d29ab487245a

    • SHA256

      cca55400b39ebc83a4b99277a47d4f83e0af9172b5f8008427ecab55d5c63f67

    • SHA512

      b3aadec99d7c1fab9ded1efe5023537d6675fe16ef18bda9885722ca76cc008ba0676106c559300fbb412351a72aa9c959c524d049e794bd22fa1b418d592661

    • SSDEEP

      12288:H9pLLk45WSSY1BX6f4bIS7rMNetPfC9Vs6IFGs0jxAqXj9xPSI0dzNgCoD7WX+Iu:H9pP5WS3lrMNyC9TJPCXBi

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Modifies WinLogon for persistence

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Executes dropped EXE

    • Adds Run key to start application

    • Target

      2774cc3c0042f6c83a21daa4b7ea0d0f.exe

    • Size

      34KB

    • MD5

      2774cc3c0042f6c83a21daa4b7ea0d0f

    • SHA1

      02504384a948854d039399a1b95a295902e4f9d1

    • SHA256

      1ff24ee66a68e8257f500d0432ea0b0905c7527d493927fec6c6b3fc7c0e6e31

    • SHA512

      f7c3edbc702de77958c75e764e3d23f3fa8e4e99f921b0649b0b712ce06a1e5317f14eac0989930c3253d03e383e114f8759acf7450fd2222175198337284299

    • SSDEEP

      768:FXHYasu0INg1C4C7V9FZ9jhWyOjhQ/cU:F3YtbBgzFZ9jhWyOjq0U

    Score
    10/10
    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

    • Xworm family

    • Drops startup file

    • Target

      277de6643cae0dcc918de5342ba5f386.exe

    • Size

      23KB

    • MD5

      277de6643cae0dcc918de5342ba5f386

    • SHA1

      21ea2be08f0383e17920bc69e0ca8093e736f6ce

    • SHA256

      034571fe3806bfc17dba77d5b97ee76375df0989a4462f72d79287b7231dd040

    • SHA512

      ad17ff0df3b8d13dc17752ed4e7d66ff69a8d52207b0b6c860a4ec0cdaeeb775fc69bac4c5f27d8f89f48a96d0598420cd45149edb3ac10eb578f2299da41f5e

    • SSDEEP

      384:/AQ+SAN7uprgvM5OSUswZXg6rgbm4hfpFmRvR6JZlbw8hqIusZzZVb:vOaxVUxRpcnue

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Target

      279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819.exe

    • Size

      1.6MB

    • MD5

      f088c5388663eeeed395b7263d1f4993

    • SHA1

      698d5eaabf3b5ce145f89f810311a0b42dade120

    • SHA256

      279ceeb4dbef5230750c02de9ade3cf0297d0abf23ac8b8a8cf1c0156b510819

    • SHA512

      c9d946db7a10abed675d764436f3af3482b5259589fa976758b28bcd7c5b380bde9e338783611cbc5925cfdabbe0c9ba930bdb85aec7e6190d935b678b5dbba6

    • SSDEEP

      24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      279dab20ac900bec30b0f1793b059f0d.exe

    • Size

      885KB

    • MD5

      279dab20ac900bec30b0f1793b059f0d

    • SHA1

      746b709243322cebafc65da649e8b2a9955033b0

    • SHA256

      035e4ad513f0cb3ac0e1ef6c550e753ba271cf1795721a84f019c877cc53bfe5

    • SHA512

      5a02f8bef439ed12276e3e7fbbb0b405988289cb2958c33a26f22c5a21d28f0befa0cc5df26abf1e1a51a0a81d37f2da945cc22f48ebd20503e7987ec5265338

    • SSDEEP

      12288:UlNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:UlNCv6XJ5BClaXfD9vUha+u

    Score
    10/10
    • DcRat

      DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    • Dcrat family

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • DCRat payload

      Detects payload of DCRat, commonly dropped by NSIS installers.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Target

      27aa584234053a57f89d2e393478ef04.exe

    • Size

      97KB

    • MD5

      27aa584234053a57f89d2e393478ef04

    • SHA1

      56969025047f74cd434cbb444de6ff3ce3a96cb5

    • SHA256

      54ad65b8e1afd5bb9dbd5ad7b5c66eeb36461d9c814ec6854abcbd33959ff2a8

    • SHA512

      fed56d5eda48e1738e6a45b78fe2278bfa8fbf8ee4cf8c2566efea51e38894f33c4899a5fff756a81b67ba69030b021a578c41df54432f282503cf9ed6f56401

    • SSDEEP

      1536:MYxlY23kGwgMBUQGum2U8aVCguHEvQEbFeDVC3woFRKpTdeE:DlY23kg3sguGDFaXeE

    • Njrat family

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      27b356f4e4551c76a9bd9011156ba560.exe

    • Size

      846KB

    • MD5

      27b356f4e4551c76a9bd9011156ba560

    • SHA1

      bc2cb4421dbfbe573db2a923bd0cf460e1bc7102

    • SHA256

      3deb9bf412bb63728f56e63c25669fa7f615e89fdaf872c7f4345ca892b98cad

    • SHA512

      bf497517e7d8d48da9a6562959354d71d9fcc08a8fb0430be0b437e6b4404e3d98a347255fc1f9e61f63f37ae238666ca3379e1b2301ddea06d2c360dd1d3d52

    • SSDEEP

      12288:BdZnbEo7qAJSjwGlfaaZFo0b5UrEBauMYFjcaxjMJ51A/POFUI7U5GGXBu/647Q7:9bEiOwyaWXUluLFRxjM9AXdI7+Gku

    • VIPKeylogger

      VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    • Vipkeylogger family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20.exe

    • Size

      135KB

    • MD5

      62e5ced86ccb25c5692dda3779968bbf

    • SHA1

      5d329227cb51365c98b76fa301c7491064e37824

    • SHA256

      27f2cdcc8ecc897dfe40d5af2b4122fc9a40843d60a0506a4a2d5044650a5f20

    • SHA512

      1463b8b98848cb10d72e654ed2f872fedb9ae4fe394c1974d328c04b552937fcf8d4e33bf37fc324e726cff8e9ee3486b5bfc69d6edbb7199522736d3de11092

    • SSDEEP

      1536:ITHiPBX4nDzMyRXGHrc9YRHqbTypgpmb5Q+ZReSdhk/J+YLgD3mrxb53cSuYQjKA:xPd4n/M+WLcilrpgGH/GwY87mVmIXQ

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      27f98377943c5b084728d381bf46e854.exe

    • Size

      97KB

    • MD5

      27f98377943c5b084728d381bf46e854

    • SHA1

      9593940f427419dfd2adf4cd1ad4286826ff3845

    • SHA256

      0a1bda6f7c5c6c9696164a73a94bd91a553333582082c08eb974d7b5aad215da

    • SHA512

      1c9197b189fc3e1fdbccae8c847e96e2b3c44f5b2af93a0f8805735a55d4b65c106966db4cb0136c19e6d3118f75c5f6a3065e7fbb8a6fc7fa5d1d10f7ec9de7

    • SSDEEP

      1536:18w4O/aH3jJ6tWOh1OErrUS652utcA6KmWoLPdCJ:183WWtErr7652zmuPd6

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook profiles

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

ratdefaulttnakt fiknursultan.exeasyncratstormkittydcratxwormnjratumbral
Score
10/10

behavioral1

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral2

dcratdefense_evasionexecutioninfostealerrattrojan
Score
10/10

behavioral3

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral4

nanocoredefense_evasiondiscoverykeyloggerpersistencespywarestealertrojan
Score
10/10

behavioral5

discoverypersistence
Score
7/10

behavioral6

discoverypersistence
Score
7/10

behavioral7

asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer
Score
10/10

behavioral8

asyncratstormkittydefaultdiscoverypersistenceprivilege_escalationratspywarestealer
Score
10/10

behavioral9

dcratinfostealerrat
Score
10/10

behavioral10

dcratinfostealerrat
Score
10/10

behavioral11

xredbackdoordiscoveryexecution
Score
10/10

behavioral12

xredbackdoorcollectiondiscoveryexecutionpersistencespywarestealer
Score
10/10

behavioral13

discoverypersistence
Score
7/10

behavioral14

remcoshostdiscoverypersistencerat
Score
10/10

behavioral15

dcratinfostealerpersistencerat
Score
10/10

behavioral16

dcratinfostealerpersistencerat
Score
10/10

behavioral17

xwormrattrojan
Score
10/10

behavioral18

xwormrattrojan
Score
10/10

behavioral19

njrattnakt fikdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral20

njratdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral21

dcratexecutioninfostealerrat
Score
10/10

behavioral22

dcratexecutioninfostealerrat
Score
10/10

behavioral23

dcratinfostealerrat
Score
10/10

behavioral24

dcratinfostealerrat
Score
10/10

behavioral25

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral26

njratneufdefense_evasiondiscoverypersistenceprivilege_escalationtrojan
Score
10/10

behavioral27

vipkeyloggerdiscoveryexecutionkeyloggerstealer
Score
10/10

behavioral28

vipkeyloggercollectiondiscoveryexecutionkeyloggerstealer
Score
10/10

behavioral29

remcoshostdiscoverypersistencerat
Score
10/10

behavioral30

remcoshostdiscoverypersistencerat
Score
10/10

behavioral31

discovery
Score
7/10

behavioral32

collectiondiscoveryspywarestealer
Score
10/10