General

  • Target

    3c7ec3973570a16645402ec5072e88dfcca455bfd72464aa8b8d5e21b4c8b3ef

  • Size

    359KB

  • Sample

    220703-h37egscbe3

  • MD5

    c47a488c2856c937f8fe7ff9ddf1c52d

  • SHA1

    2df156748ccf95c71b60c304dd6dbe993fb5ffc8

  • SHA256

    3c7ec3973570a16645402ec5072e88dfcca455bfd72464aa8b8d5e21b4c8b3ef

  • SHA512

    6afdc5d137552f5a2ac474d2c9d6d3c77d45b98353f0942da13b94d9f3d65adefbb0e42194762ab1d02673640c2af088ea8bc4b2e563d2cb77330bc12a699a94

Malware Config

Extracted

Family

remcos

Version

1.9.2 Pro

Botnet

Host

C2

shangri027.ddns.net:200

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    true

  • mutex

    Remcos-8ZV01V

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Targets

    • Target

      Bank details.exe

    • Size

      198KB

    • MD5

      051a5f7670ccc0263258af88e3aecc97

    • SHA1

      ff040dbc93f6985fb1703bf372e6cd03ce9b46ad

    • SHA256

      e28fb6da315f75befba83ea2b6585968bfcff60104e637cb84ed63a0593ac794

    • SHA512

      329f3c71297a3ccef638bb0709e4f18f94ca1d46deafb4c382544aa2a1935d187e1aefd355380c58518cdcadb92735c86ae1d5e0ae534c6fa27ff2235bfbf276

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

    • Target

      Revised final Invoice.exe

    • Size

      270KB

    • MD5

      b2acd0870dcd7dd14d0cc51e67ac5e87

    • SHA1

      a778a06ebb3e57d1bf58c8b7cddda76bb1bde50d

    • SHA256

      60d06cc7ffb33c86581b085d380efcd6670f2b0bd8e70ffbf8cf48473057670e

    • SHA512

      6c5cb813945e03e4229bb1da9c4b5f0b08272b04a0962377ec0461382bdb6a6870672675a157bf128af406c31c982ac21bc7d563ef3663dc01305f1f99edab1d

    • Modifies firewall policy service

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Sality

      Sality is backdoor written in C++, first discovered in 2003.

    • UAC bypass

    • Windows security bypass

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Disables RegEdit via registry modification

    • Disables Task Manager via registry modification

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Modify Existing Service

1
T1031

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

7
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

3
T1089

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

6
T1082

Peripheral Device Discovery

1
T1120

Tasks