Resubmissions

09-10-2021 11:54

211009-n3dp3afccm 10

07-10-2021 14:54

211007-r9wq1acef7 10

General

  • Target

    ShippingDocs.exe

  • Size

    55KB

  • Sample

    211009-n3dp3afccm

  • MD5

    a3e458f7e2e1f940b0c62042afe607d3

  • SHA1

    6fb0a031365530ebb273f47f034181a530e31b70

  • SHA256

    1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028

  • SHA512

    9d27b5a6e1086b315bb71cccca1f64e718d1815adbccde1a3483e1404ec3d5d8a6eddc90de373e362543a8db69bf5118e36fef6c8b4cc82d40a4f771b44766e8

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

remUSD31k

C2

yedaibi.com:8760

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    zoom-FKG2PK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      ShippingDocs.exe

    • Size

      55KB

    • MD5

      a3e458f7e2e1f940b0c62042afe607d3

    • SHA1

      6fb0a031365530ebb273f47f034181a530e31b70

    • SHA256

      1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028

    • SHA512

      9d27b5a6e1086b315bb71cccca1f64e718d1815adbccde1a3483e1404ec3d5d8a6eddc90de373e362543a8db69bf5118e36fef6c8b4cc82d40a4f771b44766e8

    • Modifies WinLogon for persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Patched UPX-packed file

      Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks