General

  • Target

    microA.exe

  • Size

    1.7MB

  • Sample

    210624-1bfqa6wk66

  • MD5

    2da248b2e56ba13be75b9fc541b33b9a

  • SHA1

    90824a5f8b91eb49b00e6b5a81fa8862c3e03d82

  • SHA256

    8fabd89f985aae235b63098a58da4c32773e2aa81aae19f1e27467fd8924fc33

  • SHA512

    4e50ebc99693a02b2e85b95935e64fe50b468eca48d3dc0c4efd93df7237f02185fc3f6f6fe255d9713ab2551ba7b2b17444c8372d8b3f4fe810314ae63c8349

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

chrome

C2

fieldsdegreenf.duckdns.org:6553

aaeeerbbbeee.duckdns.org:6553

sdegreenfieldsdeeenf.duckdns.org:6553

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-1AJ7AD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      microA.exe

    • Size

      1.7MB

    • MD5

      2da248b2e56ba13be75b9fc541b33b9a

    • SHA1

      90824a5f8b91eb49b00e6b5a81fa8862c3e03d82

    • SHA256

      8fabd89f985aae235b63098a58da4c32773e2aa81aae19f1e27467fd8924fc33

    • SHA512

      4e50ebc99693a02b2e85b95935e64fe50b468eca48d3dc0c4efd93df7237f02185fc3f6f6fe255d9713ab2551ba7b2b17444c8372d8b3f4fe810314ae63c8349

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks