Overview

overview

10

Static

static

1

Mhiwfmlub.exe

windows7-x64

10

Mhiwfmlub.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c4869d1471e76a3efa87816ad5ebfec3.zip

  • Size

    433KB

  • Sample

    230207-k4lwaaaf97

  • MD5

    8bed4c2f2f5dd8ed4fb773826b41b8cc

  • SHA1

    76feab30fa3741496cbcbc468f8824e384aa48bc

  • SHA256

    0492e86e9f32847a07e11519c5833035b85a85473777de0c1c558e53a019e3c0

  • SHA512

    6efcd3f8d9a303c9f4408cacc2d31569e7da7c19a02c6685ceb81d2c207887ac8345e53e1929a65b021ced92efb81a3303e0bfd5d77de7aee5d3847095cbb5e5

  • SSDEEP

    12288:Dq6osVDDMiGhXfSYLlMw6lDGIbwI0PD8IUb:j5XARfLlMwcD3jAUb

Score
10/10
purecrypterremcosmimiboydownloaderloaderpersistencerat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

MIMIBOY

C2

91.231.84.41:52651

127.0.0.1:52651

10.5.175.21:52651
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-SURYWD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      Mhiwfmlub.exe

    • Size

      446KB

    • MD5

      c4869d1471e76a3efa87816ad5ebfec3

    • SHA1

      dd0cc24265371721bd1eb383ce3f460081074763

    • SHA256

      92767f44cc14eeed6919d8b3c214d63d1e9fb72439d9f6a662a4a595d8512b3b

    • SHA512

      1b664fd1eca97d224d64d4d050cdba3a8cebc8fa51c2bc59640ea5eb46e1352cc65cc51c8aab7ee5ea2e9e70f803325fb87f2188e55caf84f227252396542fc0

    • SSDEEP

      12288:BBJooIJUl95lJVfWkAy2KcwsDInlhm3tur8KgQUg:HyVgXlJ9WkAf5Ibm9u4oUg

    Score
    10/10
    purecrypterremcosmimiboydownloaderloaderpersistencerat

    • Detect PureCrypter injector

      loader

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

      loaderdownloaderpurecrypter

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks