Overview

overview

10

Static

static

DHL (SCAN)...on.exe

windows7_x64

10

DHL (SCAN)...on.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL (SCAN) Shipment Notification.iso

  • Size

    1.1MB

  • Sample

    210823-fznynpnhvx

  • MD5

    72f7678095b2e212d0b3c3da5cf12821

  • SHA1

    093eb005c06ead9aedb0965e9f5f392d22b56b9c

  • SHA256

    4e91bcc380f2283929f4b8e6fc746e3108dd5ebac3ef8f7a16b6f831613ae1e3

  • SHA512

    c2ae19b9d926282a5975d85ef2c0757bbfa2c86a17126f19c3ece65069e786c2153fb7db387198db09c90f139d9671d47803e0e8ac2172cc7021b2c7ed9653e5

Score
10/10
modiloaderremcoslas laspersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

LAS LAS

C2

goddywin.freedynamicdns.net:4108

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-YZ590Y

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      DHL (SCAN) Shipment Notification.exe

    • Size

      1.0MB

    • MD5

      90d18e14ba0ddee3dd22598c8435c109

    • SHA1

      b8b473aa7cefe46e934bde3a5c89f7f96f197ed1

    • SHA256

      bf0cc4fd655e77d8b634ad0f7de607e8bda88034910511e120dafc86d96fd8df

    • SHA512

      10fe71f49c94f8b263fc113ad5ad3bb15067644941db57ea386294b34f3e27bd77bc049835fd07239495c18cc02dab8ea8c1f129ef1875603a8950c1acfc3d5e

    Score
    10/10
    remcoslas laspersistenceratmodiloadertrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks