Overview

overview

10

Static

static

AW QUOTE 2...DF.exe

windows7_x64

10

AW QUOTE 2...DF.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AW QUOTE 21505 HQ1-Scan-068703_PDF.rar

  • Size

    679KB

  • Sample

    210922-jx48lsbhh3

  • MD5

    794bfcbbef15294c85c25eb815e88eaf

  • SHA1

    673988accb192e692282ce99e7e96bb5f9431d6e

  • SHA256

    08dea6bb572a7af97d8814d5b65a205f87e4a7e989c90aff99045698053d1a8c

  • SHA512

    19f838ba9301b87e89aee1d221ca4d0c82b189e849a8f333ce0cc0fdc5df248a60ff7925e43e8f3820d26eabf6602aca629503415607b0e1d4b7923b3ba3c316

Score
10/10
remcosremotehostmicrosoftpersistencephishingratspywarestealer

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

C2

103.156.92.178:7006

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    windows.exe

  • copy_folder

    task manager

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    AppData-XFQ8F4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Windows update

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      AW QUOTE 21505 HQ1-Scan-068703_PDF.exe

    • Size

      1.1MB

    • MD5

      8a13608bb749ecaead86683f640007ef

    • SHA1

      c72f47b7a5c636b6ca58fbcf65a1d5bfeddada3d

    • SHA256

      e6e8bb23ac6b68e1d48dd81f6012451d62b292fda9140e6012fe9702ab283732

    • SHA512

      adefe0c05316a015d20c7aac8a394671b32c5b0f662103e74578a1149e1b053316a355c9999d5021802c6892d74d6072093979f0c7bd7592311dc3e94d9d1d9d

    Score
    10/10
    remcosremotehostmicrosoftpersistencephishingratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks