General

  • Target

    daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

  • Size

    15MB

  • Sample

    201112-lvcvqj3rd2

  • MD5

    59a413614e91e86b933a42e4abdf1d43

  • SHA1

    2d4ae51600e384dfcc8c054ff8c798055d008f87

  • SHA256

    daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

  • SHA512

    1e771d3c37f9035f4a813e062c9327bc1a14e34a29aee4bced9613555bb684c581cf121a83f5daa0e4a7e1ac2b430c34b3f190171d4f8a50f4f89bfdb8b6a93c

Malware Config

Extracted

Family

remcos

C2

roxy.dynalias.net:3297

regiskm67.buyshouses.net:3297

dico.is-a-liberal.com:3297

neverdiemosole.is-a-doctor.com:3297

zeusnodie.mypets.ws:3297

nvdiedicobies.is-a-hard-worker.com:3297

nvdieroxy.kicks-ass.net:3297

nvdiedicozeuse.webhop.org:3297

Targets

    • Target

      daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

    • Size

      15MB

    • MD5

      59a413614e91e86b933a42e4abdf1d43

    • SHA1

      2d4ae51600e384dfcc8c054ff8c798055d008f87

    • SHA256

      daedd0017e4c1d2488d55bd08172c84420577c6c0a1d617d4c1c455870012bc4

    • SHA512

      1e771d3c37f9035f4a813e062c9327bc1a14e34a29aee4bced9613555bb684c581cf121a83f5daa0e4a7e1ac2b430c34b3f190171d4f8a50f4f89bfdb8b6a93c

    • Modifies Windows Defender Real-time Protection settings

    • Modifies security service

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Modifies service

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Modify Existing Service

3
T1031

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

1
T1089

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks