Overview

overview

10

Static

static

10

PO2023.docx

windows7-x64

10

PO2023.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO2023.docx

  • Size

    10KB

  • Sample

    230313-ldmkkabf6s

  • MD5

    3bd45b53b7c5bb34787723820e0fdae3

  • SHA1

    67d08bbc3da158e4d600d6447350e70774a0a35b

  • SHA256

    219cefc8a02aa9c891d95febd308941a2f6d2a8fb5dadcb14b747bd456d56e5f

  • SHA512

    c7a19b16fc5fbc1d6a68428965f2c4b295cf226f0c91aa7e91401a1c2f121d0177c030e3c3ada1ca30d5fecd8b86d0e69227170a1965c02d0cb5eff599ff80bb

  • SSDEEP

    192:ScIMmtP1aIG/bslPL++uO1KPol+CVWBXJC0c3dkJfe:SPXU/slT+LO1YoHkZC9dqm

Score
10/10
formbookremcosremotehostdcn0collectionpersistenceratspywarestealertrojanupxwebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://AWWSSS09d0asdas9d0qwqwSADQWDASDASDASDA9009d8qw88asd8asdASDQWCCVFSDFSDF878878787887878788@314482727/se.......se.........se.doc

Extracted

Family

remcos

Botnet

RemoteHost

C2

top.noforabusers1.xyz:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-5DQBA4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      PO2023.docx

    • Size

      10KB

    • MD5

      3bd45b53b7c5bb34787723820e0fdae3

    • SHA1

      67d08bbc3da158e4d600d6447350e70774a0a35b

    • SHA256

      219cefc8a02aa9c891d95febd308941a2f6d2a8fb5dadcb14b747bd456d56e5f

    • SHA512

      c7a19b16fc5fbc1d6a68428965f2c4b295cf226f0c91aa7e91401a1c2f121d0177c030e3c3ada1ca30d5fecd8b86d0e69227170a1965c02d0cb5eff599ff80bb

    • SSDEEP

      192:ScIMmtP1aIG/bslPL++uO1KPol+CVWBXJC0c3dkJfe:SPXU/slT+LO1YoHkZC9dqm

    Score
    10/10
    formbookremcosremotehostdcn0collectionpersistenceratspywarestealertrojanupx

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks