Overview

overview

10

Static

static

10

TRN-973664...oc.exe

windows7_x64

10

TRN-973664...oc.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TRN-97366461563688738_CIF_00077637283651296368_doc.bin.zip

  • Size

    486KB

  • Sample

    220613-p3fp4acdh7

  • MD5

    1180ccd2189be290de22af2c69a579ce

  • SHA1

    9d1d41bea914cf9c267a379a2e16863bcffd1646

  • SHA256

    9962349253d26898c5c7a6263ef88a378d603f8e9bfaf4651dd44f7f27bdfcb6

  • SHA512

    7fa6076152c5529645caa92c642efab1a8c0935194f54ae2bfb130ee2fe235f17c17527714751237b7929cd4111834a4c21e91fabbc716f42b50202b33dcaa13

Score
10/10
neshtaremcosremotehostpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.94.127.61:5888

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-V4JCDL

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Targets

    • Target

      TRN-97366461563688738_CIF_00077637283651296368_doc.bin

    • Size

      538KB

    • MD5

      71c04c5d339db01981ea6896784ab4af

    • SHA1

      c9a8e3ad849f7e146e8d33008df1eba0a367aa96

    • SHA256

      b884f8567f4e5056c3d4b58869a277830c40658f89ec5fa1e696c2e78620d9a0

    • SHA512

      b4c1425f40757da86175a9c4f4462619ce4118ccc6e81eedd6218091ec666a60e15dfd434f7e1330993ca0b722c3e7346e8f845901eb55de2680e74637a42209

    Score
    10/10
    neshtaremcosremotehostpersistenceratspywarestealer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks