remcos

General

Target

878dbdcd93fa8a501ad8ff5e798ca60e004f89af453346a09b37a0d5146bc37a
Size

1.1MB
Sample

210727-5pj3dyxyvs
MD5

e1a8c1a7b463efea24a2c441e644a6a8
SHA1

9d7cfbc4a248bfcc2d01069d8da3d41f4ab90e66
SHA256

878dbdcd93fa8a501ad8ff5e798ca60e004f89af453346a09b37a0d5146bc37a
SHA512

6850d795caa0ac3272bb6b8e754b34ace43d284d9761e51b46a4426a0c437e00c8a527a3587bb4038eb6494a9ed2f95a755d0f6a4f6d74563d66b426144cf5bf

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.3

C2

http://www.northriverlawns.com/q3t0/

Decoy

xn--n8jh0ox33v9th.club

realestateactiongroup.com

theblackcottage.com

iptvfresh.com

firstseviceresidential.com

enhancemarketingsolutions.com

matchawali.com

lockedselfstorage.com

laurencervera.com

waffleicionados.com

ryanplumbingandmechanical.com

mahalabartlemathiassen.com

enter-flowers.com

berlinclick.com

pop.direct

dangeranimalsfounded.press

sweetwhiskerscreamery.com

acaciamultimedia.com

thejoyfulmark.com

bspceducation.com

Extracted

Credentials

Protocol: smtp
Host:
smtp.azebal.com
Port:
587
Username:
kimone@azebal.com
Password:
#*ehEFidm0

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

RemoteHost

C2

ramzy.duckdns.org:2005

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
agent.exe
copy_folder
Remcos
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-RV1M2P
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  Pagos-133, 195 & 285/Documento de Pago/Pago-133.exe
- Size
  
  423KB
- MD5
  
  42cfb7889c4a5fb1e3ab405d6749ff5c
- SHA1
  
  a652bb67bb18c540b8b730f8ec82557fc3f9e4cd
- SHA256
  
  f68c7bdc06b19a327f1428383d0df7b73158abb5604f2368f04233ba0020953c
- SHA512
  
  3bc5864d22bfd533c53df4b59f7e458c6334e5fdaab48ef35b8abc2f7d8d63f884a672e0b35bc9a851a080995ba084fd9dcdc40a590c86c83141dbdce958a20b
Score

10^/10

xloader loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Deletes itself
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  Pagos-133, 195 & 285/Documento de Pago/Pago-195.exe
- Size
  
  467KB
- MD5
  
  fd8c8b6a75beb812171a759eb586a9cd
- SHA1
  
  3803aaa0d31603efa2ae699c19131c46d0b1edd3
- SHA256
  
  453f04cce9aec338600473b9b81fc009ca69e899e2c5e9c4778cb5fa9caf36bc
- SHA512
  
  b12c0b63fc50d3693c9a4ad50492279850c8e1ba96ac5013ac8fe04da8a0f4a1e7de3ad3909d57fa66e4ac25f4efc8800d75287ae461242f098b05bce09489d4
Score

10^/10
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral2
- Target
  
  Pagos-133, 195 & 285/Documento de Pago/Pago-285.exe
- Size
  
  909KB
- MD5
  
  9768933afbf8fc3321fabe7ef5b8b140
- SHA1
  
  33c36facdb8b28dd8f63c86c7c65af9899203212
- SHA256
  
  b06ee4f0f1e474a53678998bb8c66b7e8b516b56ee017915963f09821bc55ca4
- SHA512
  
  7066f5ac68ff7a6e622d98f3caf2cab5c3484748ffd188cd875cf632c9da4f9bf4592a883a7abffa88609bb0b7fde8bbf0f4381d023edb5df50b59a6488edfdf
Score

10^/10

remcos xloader remotehost loader rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- NirSoft MailPassView
  Password recovery tool for various email clients
- Nirsoft
- Xloader Payload
  rat
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral3

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Xloader

suricata: ET MALWARE FormBook CnC Checkin (GET)

Xloader Payload

Deletes itself

Suspicious use of SetThreadContext

Looks up external IP address via web service

Suspicious use of SetThreadContext

Xloader

NirSoft MailPassView

Nirsoft

Xloader Payload

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3