General

  • Target

    70C62A38AC3CD3996CE074EEC82EF702351A7B7BDE14D8C9CCDA4FF73DC630A0

  • Size

    495KB

  • Sample

    221123-r2wq2aab96

  • MD5

    327ba1371dd35e7e2bd6bc7e5e77d4cc

  • SHA1

    1ea37918119e2f664f783a6ab44b8aaefa9fc139

  • SHA256

    70c62a38ac3cd3996ce074eec82ef702351a7b7bde14d8c9ccda4ff73dc630a0

  • SHA512

    55a3004d2a97d7cfb16bacf6a8fd3712726cbd2996399857eb8c9bf7f903ea1e15864d462c291d2f5a087fb556417556f5ada0bd6e4991daa32eb6c4b51aa752

  • SSDEEP

    12288:dMIZdDqm712NCSpmG9BaMT+QaFYSobRtpb22oa/AViWXwF:dtZdDYjas9lxb22oa/AVJg

Malware Config

Extracted

Family

remcos

Botnet

BACK-UP-DOMAIN

C2

www.arkern-tr.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Rec

  • mouse_option

    false

  • mutex

    Rmc-W3LVOT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ScanDocumentsfiles00204865030303388493335950.exe

    • Size

      36.0MB

    • MD5

      6af00ae353deeb4cce9bb865b37fae16

    • SHA1

      e1daca49fec4b46ab45f69d9d8196209935262af

    • SHA256

      5180dca560ce8ad4b5001b77e3da2897890c00bab9193d0bdbd294e6b5fc8b80

    • SHA512

      dc6fb6e1e872d15af76b960f4933726144ef37551f07a58d671ac527789a049f83e8094002b0240f7a79d4e06bc1b6b46aa7a9a129d60e3c20abc3425ea9cd42

    • SSDEEP

      24576:bo0fsegIq86wlMrqBOOMBebMMMMMMMMMMMMMMMMMBLM:bYIvBONGMMMMMMMMMMMMMMMMMS

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks