Overview

overview

10

Static

static

1

5e83e78d0f...04.rtf

windows7-x64

10

5e83e78d0f...04.rtf

windows10-2004-x64

1

Sharing

Copy URL Twitter E-mail

General

  • Target

    68e4e02abb6cfe1a980aa3a97bcad4f8.bin

  • Size

    6KB

  • Sample

    230313-mw6ltsaa46

  • MD5

    9927eb9607b759d5286e69a6c5a603dd

  • SHA1

    8bc9b7fb5ee5e88dc0522167a7f9276f618c76da

  • SHA256

    0dd1f23cffd3a98b4f2b570783324b27bb73f428940338cb634218c2d872b266

  • SHA512

    95317515fe9b4833664d02d1fc1f1550b682d0366a39459887b08b099af213d44e672cffb61b30d2d76f39fa16faba829e3b176f62be4c6ba48a3646584a1ab6

  • SSDEEP

    192:VRsFwpUfHhVqOKLrHoMmj/iqC5oJpAzwHRtFt:VKMOKLrIMmLS5Bz6f3

Score
10/10
formbookremcosremotehostdcn0collectionratspywarestealertrojanupx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

top.noforabusers1.xyz:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-5DQBA4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      5e83e78d0fe81ef4fdeb85e1a97ee390aa9259349ba37abb7e32648ee2246404.rtf

    • Size

      10KB

    • MD5

      68e4e02abb6cfe1a980aa3a97bcad4f8

    • SHA1

      15885c44c852a92ccb8beb656e6f9e788794f833

    • SHA256

      5e83e78d0fe81ef4fdeb85e1a97ee390aa9259349ba37abb7e32648ee2246404

    • SHA512

      dfbaac2b0cd9a0904f703f65708a267f13fd05d3510476ee6915ff5a1ce87440d4613f0ebaeae23ed4799c9fc51f10f8cf0833515b369c2c6feb49df7031562b

    • SSDEEP

      192:iAum75aReNM6p05FiVB+YjY+NYjRiUkqjZvWgtLChIvJZqc5vEQrfcPZSPmfzezZ:ihZGMJiPv8IYjUUDjZvWg1Ch2ZBvEQjx

    Score
    10/10
    formbookremcosremotehostdcn0collectionratspywarestealertrojanupx

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks