General

  • Target

    sales order confirmation 57876543897654.exe

  • Size

    754KB

  • Sample

    221004-qla9qabdap

  • MD5

    6522609f236e7417c916912de37cc6d5

  • SHA1

    96b6ae7d458d7aa64850ad1f55cf75257de99cf9

  • SHA256

    80bcc0545453675c158ec5a212ffe54e9aecd9c19adb4321f2d61f736e75e495

  • SHA512

    00ecc21c1bbed3eb6cb2c40b15f7a2d3729bd8fe6b1a81c00c926e59628d583e2958a2f96bde7dbf51b45d9e5394ca7c689df2123791311527ee67a3478ca560

  • SSDEEP

    12288:dMtnZYA3k+tEeWqFZip4Be+GA7Pes9q1ia9r0vYe+mY6Q4eYrP:WZY5+tEeWqFZip4B57Pd9qlqC6Q

Malware Config

Extracted

Family

remcos

Botnet

DUCKDOMAIN-FILE

C2

dapsan.duckdns.org:2404

www.dapsan.biz:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BERTBE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      sales order confirmation 57876543897654.exe

    • Size

      754KB

    • MD5

      6522609f236e7417c916912de37cc6d5

    • SHA1

      96b6ae7d458d7aa64850ad1f55cf75257de99cf9

    • SHA256

      80bcc0545453675c158ec5a212ffe54e9aecd9c19adb4321f2d61f736e75e495

    • SHA512

      00ecc21c1bbed3eb6cb2c40b15f7a2d3729bd8fe6b1a81c00c926e59628d583e2958a2f96bde7dbf51b45d9e5394ca7c689df2123791311527ee67a3478ca560

    • SSDEEP

      12288:dMtnZYA3k+tEeWqFZip4Be+GA7Pes9q1ia9r0vYe+mY6Q4eYrP:WZY5+tEeWqFZip4B57Pd9qlqC6Q

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • Blocklisted process makes network request

    • Adds Run key to start application

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks