General

  • Target

    New Order request Ref E100-#3175704534,pdf.e.exe

  • Size

    636KB

  • Sample

    210407-srcl7mefwa

  • MD5

    b560c1126b2e27ec044832743f163000

  • SHA1

    74ad1277557d02a35729144fbdd6a7aaf1bd5de7

  • SHA256

    3cc981a7b504f9c20ee0a8497581f43b007eb3c412d85b87ef7f0cd0c5a145b6

  • SHA512

    97598717a4fcab5fca834447ddd5880db7cce48e9e8fc01e7049a743e5b2a8d9946706724dbc78f1c7864abf39687351542bd6c7406ccdd2362fb7ff5b607b5b

Malware Config

Extracted

Family

remcos

C2

goddywin.freedynamicdns.net:6712

Targets

    • Target

      New Order request Ref E100-#3175704534,pdf.e.exe

    • Size

      636KB

    • MD5

      b560c1126b2e27ec044832743f163000

    • SHA1

      74ad1277557d02a35729144fbdd6a7aaf1bd5de7

    • SHA256

      3cc981a7b504f9c20ee0a8497581f43b007eb3c412d85b87ef7f0cd0c5a145b6

    • SHA512

      97598717a4fcab5fca834447ddd5880db7cce48e9e8fc01e7049a743e5b2a8d9946706724dbc78f1c7864abf39687351542bd6c7406ccdd2362fb7ff5b607b5b

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Tasks