General

  • Target

    07264199.exe

  • Size

    363KB

  • Sample

    230606-s6daxsfa4y

  • MD5

    dee45488657ddf8345c2e3b06d7bd97a

  • SHA1

    c732e1f57bbd4df5eb074adf0ade814ba0b2ecff

  • SHA256

    edb595193fc312592db36cf49e9e32757868f4a10419c4ce9a89f63478bf1b1d

  • SHA512

    e6ed07d586b79f034b6e1af1779e17766cd155d6a01c97947f5a094c4d01636fd4a47122cb6c14a70c17c14448b27f2869b3e74ffb0b5fc3918404410f257d66

  • SSDEEP

    6144:XIw3EwpCUJ3ATRD/opXz3ekXEV7vQ8z7M4+NSMT2DTpGu47G:2UJQ5Gz/UV7I8z7za2Xpr

Malware Config

Extracted

Family

remcos

Botnet

SowetoHost

C2

soweto24.sytes.net:2098

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    scs.exe

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-3QH5OR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      07264199.exe

    • Size

      363KB

    • MD5

      dee45488657ddf8345c2e3b06d7bd97a

    • SHA1

      c732e1f57bbd4df5eb074adf0ade814ba0b2ecff

    • SHA256

      edb595193fc312592db36cf49e9e32757868f4a10419c4ce9a89f63478bf1b1d

    • SHA512

      e6ed07d586b79f034b6e1af1779e17766cd155d6a01c97947f5a094c4d01636fd4a47122cb6c14a70c17c14448b27f2869b3e74ffb0b5fc3918404410f257d66

    • SSDEEP

      6144:XIw3EwpCUJ3ATRD/opXz3ekXEV7vQ8z7M4+NSMT2DTpGu47G:2UJQ5Gz/UV7I8z7za2Xpr

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Command and Control

Web Service

1
T1102

Tasks