General

  • Target

    Inquiry for Export to Czech Republic.exe

  • Size

    617KB

  • Sample

    210331-j1wq2sn4tx

  • MD5

    34adf4b04711ceface4d93de0777ae6e

  • SHA1

    e1eba71c8893c528f839cbb02e03fb8234436f31

  • SHA256

    9a85184a6496a2e3055f5f8bb91ee73acb718e4b2589b42f7253416b7870be3c

  • SHA512

    921ff742ae5a1e56bd650f830f2b25efb70f87517a4d84bf938bc756677086d70a4ff8d123224006953e6db51a76fef2b2515de00f8ad176329436d56dfec4b4

Malware Config

Extracted

Family

remcos

C2

blazeblaze.ddns.net:10008

Targets

    • Target

      Inquiry for Export to Czech Republic.exe

    • Size

      617KB

    • MD5

      34adf4b04711ceface4d93de0777ae6e

    • SHA1

      e1eba71c8893c528f839cbb02e03fb8234436f31

    • SHA256

      9a85184a6496a2e3055f5f8bb91ee73acb718e4b2589b42f7253416b7870be3c

    • SHA512

      921ff742ae5a1e56bd650f830f2b25efb70f87517a4d84bf938bc756677086d70a4ff8d123224006953e6db51a76fef2b2515de00f8ad176329436d56dfec4b4

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks