General

  • Target

    4f770c6e486094815d8abd6cba0d4dad.exe

  • Size

    477KB

  • Sample

    230507-ccxjpsdc5z

  • MD5

    4f770c6e486094815d8abd6cba0d4dad

  • SHA1

    e299fe236fb2fd576fe5ae71d645bf6214a85c1a

  • SHA256

    0ac9f7546283cc6a26297dda1873c8162500e13ec67d10f036033488352fc026

  • SHA512

    c5347e0174a5d2161b4a9a732f344027402b6a35895edb32e120e9872b9d6eae5ed64b6adfe769982225fe283e5b29c89b975e447113f600fa5ac4648276aa4e

  • SSDEEP

    12288:IX8/Vx65HCnDAByqulR1fZJQGs/Z8URq:P/Vc5HCnDABMfZJQNZr

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

141.95.16.111:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Terminal.exe

  • copy_folder

    Microsoft

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    penos

  • keylog_path

    %Temp%

  • mouse_option

    false

  • mutex

    Rmc-XHJ4CU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

stealerium

C2

https://discord.com/api/webhooks/1099675047611859056/uR1w8pLP8LJCDIVjVkBzojXsbj3DiEjaFjTz7pLj3ehsvi4yn00DDJrQ03Ws4_AuJ-Km

Targets

    • Target

      4f770c6e486094815d8abd6cba0d4dad.exe

    • Size

      477KB

    • MD5

      4f770c6e486094815d8abd6cba0d4dad

    • SHA1

      e299fe236fb2fd576fe5ae71d645bf6214a85c1a

    • SHA256

      0ac9f7546283cc6a26297dda1873c8162500e13ec67d10f036033488352fc026

    • SHA512

      c5347e0174a5d2161b4a9a732f344027402b6a35895edb32e120e9872b9d6eae5ed64b6adfe769982225fe283e5b29c89b975e447113f600fa5ac4648276aa4e

    • SSDEEP

      12288:IX8/Vx65HCnDAByqulR1fZJQGs/Z8URq:P/Vc5HCnDABMfZJQNZr

    • Detects Redline Stealer samples

      This rule detects the presence of Redline Stealer samples based on their unique strings.

    • Modifies security service

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Adds policy Run key to start application

    • Drops file in Drivers directory

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks