Resubmissions

10-09-2022 11:44

220910-nwl3vsaag7 10

09-09-2022 16:16

220909-tq9vmageg6 10

General

  • Target

    c1d6fcea01ed82777e63ebc9e6f085ce.vbs.vir

  • Size

    2KB

  • Sample

    220910-nwl3vsaag7

  • MD5

    c1d6fcea01ed82777e63ebc9e6f085ce

  • SHA1

    5497cee7b0f9b4f7f81491779e88edd83f167a15

  • SHA256

    de7a6bf628cdb1265197ea78967808850230114acb014cd0a39aa36adf2832f7

  • SHA512

    d1ea396de7dc2204733d113e2fed0d89b93c61cf7165ff9798a858712a81c4d9ad6a78eb0f75271f9df9e590d85c9e328ee9ce1348d01c66e0a446cda8d07611

Malware Config

Extracted

Family

remcos

Botnet

AUGB22

C2

saptransmissions.dvrlists.com:55026

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    AUGB22

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    AUGB22-JJZGN0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      c1d6fcea01ed82777e63ebc9e6f085ce.vbs.vir

    • Size

      2KB

    • MD5

      c1d6fcea01ed82777e63ebc9e6f085ce

    • SHA1

      5497cee7b0f9b4f7f81491779e88edd83f167a15

    • SHA256

      de7a6bf628cdb1265197ea78967808850230114acb014cd0a39aa36adf2832f7

    • SHA512

      d1ea396de7dc2204733d113e2fed0d89b93c61cf7165ff9798a858712a81c4d9ad6a78eb0f75271f9df9e590d85c9e328ee9ce1348d01c66e0a446cda8d07611

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks