General

  • Target

    PO-880182.PDF..exe

  • Size

    1MB

  • Sample

    231205-h2m98aaa68

  • MD5

    138dbab797d6d49d67f7aa2d0d5c54e9

  • SHA1

    0b799db2170957ee5fffff4eb728c11b9ab37149

  • SHA256

    f8b4f90e536a1cdd95cc100f8db1cbc90970f125110fbe883523e84b0beae62a

  • SHA512

    743914489fc36ad16146b7d24c320b1b743accdd788a9f2951ddfa7ec80312f17e4d3737fc1b06650cee3a9fb788b91f6ba74d516e4631515443563f4a0afcf4

  • SSDEEP

    49152:iytH9q1rUWS1qXtfRGHKpk3H8eiTwHFimH9jIrMKSIa+GGXHIfd2Ddk6L+O/:i+HqJS1qXtfRGHKpk3H8eiTwHFimH9jm

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:45070

127.0.0.1:52707

172.245.208.30:52707

172.245.208.30:45070

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-2NCCY9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PO-880182.PDF..exe

    • Size

      1MB

    • MD5

      138dbab797d6d49d67f7aa2d0d5c54e9

    • SHA1

      0b799db2170957ee5fffff4eb728c11b9ab37149

    • SHA256

      f8b4f90e536a1cdd95cc100f8db1cbc90970f125110fbe883523e84b0beae62a

    • SHA512

      743914489fc36ad16146b7d24c320b1b743accdd788a9f2951ddfa7ec80312f17e4d3737fc1b06650cee3a9fb788b91f6ba74d516e4631515443563f4a0afcf4

    • SSDEEP

      49152:iytH9q1rUWS1qXtfRGHKpk3H8eiTwHFimH9jIrMKSIa+GGXHIfd2Ddk6L+O/:i+HqJS1qXtfRGHKpk3H8eiTwHFimH9jm

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks