Overview

overview

10

Static

static

1

Scan06631.exe

windows7_x64

10

Scan06631.exe

windows10_x64

10

Scan Copy/...32.exe

windows7_x64

7

Scan Copy/...32.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan Copy.lha

  • Size

    699KB

  • Sample

    210618-y4r6xazh26

  • MD5

    74b19c9d2a2bc658ef19bfcf6cee7932

  • SHA1

    932cd45e0d8dcb1a5068ae968bd41f8a8deee8b4

  • SHA256

    2fd9ff04e26bbbc8f627ba5913fba33494a0ffce9117ecb6e660c03f4e79125b

  • SHA512

    5a696897f66f5ff5c8644bba5556b77856ba7586f4e65e62238873b204586ced2e792b7a9682e4e156434caf580db1a3ec842fcc8a70f31b74d5406eafe6ceb9

Score
10/10
remcossnakekeyloggerremotehostkeyloggerpersistenceratstealer

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

RemoteHost

C2

ramzy.duckdns.org:2005

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    telgap.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-SX86V7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Extracted

Family

snakekeylogger

Credentials

  • Protocol:     smtp
  • Host:
    smtp.azebal.com
  • Port:
    587
  • Username:
    kimone@azebal.com
  • Password:
    $LfSkE^9

Targets

    • Target

      Scan06631.exe

    • Size

      614KB

    • MD5

      0bef184e0638721ef4c4847c5131a4de

    • SHA1

      791c93dcbf28eabc84d4d595a4bf51e83789a754

    • SHA256

      42f088d98889d5ed46a7990cba310ef267800ea172255337e620c905afd375ca

    • SHA512

      903ed52ab5c2bf5870c9f68734675dcd64ee9087f2f6b932720a3b59c324fb30e007153408f11270edea00259f1360c0f66758672556488add3dd712f96c5a20

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Scan Copy/Scan06632.exe

    • Size

      273KB

    • MD5

      b174e33d5ab7f90d7164caae7453b114

    • SHA1

      22c17f3cdd5819996b3c3359ec9758fecd6554dd

    • SHA256

      b373e5a4e4057ab261f9f58af8b2ebe75f401fc7df1c4b5aa26d555ec2a1387e

    • SHA512

      bd9b8783f37a3133ecdcdf34516a7a3984072f550bdae45d6544c22e60461e4a4e4da2cb5f175a49e172b35cd1c52d80635c4ed589c24f05a971f4f13a2ba4c0

    Score
    10/10
    persistencesnakekeyloggerkeyloggerstealer

    • Snake Keylogger

      Keylogger and Infostealer first seen in November 2020.

      stealerkeyloggersnakekeylogger

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks