General

  • Target

    anexe40.zip

  • Size

    1.3MB

  • Sample

    240126-q9khasgfap

  • MD5

    9d5c878aaaf8e4f956e1402646e2d06d

  • SHA1

    6bba2395bd3fa415a69ba03883693d8f52cfef45

  • SHA256

    c40187647ed4519e1b0adca086d637cf76d05890a431343942360332818975d3

  • SHA512

    c3c21bc9de4d0a0c5516fc8bd0dc60b44e2c764becdc9b7527ef939e8171381687829be273f0ffabbc0b0c6b30dd769fb58add3333d15f05d98bcb4841339f82

  • SSDEEP

    24576:wJ3e7AbvxpQac1uCPRdoxLCLIZ8iOeN4kmjICWVps3wDgmbhilkG:HGxG1zPRdWmLIC1eZsbWVps3whbA7

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

172.206.61.17:55642

172.206.61.17:55746

172.206.61.17:55867

172.206.61.17:55733

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    xosa.dat

  • keylog_flag

    false

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    mioeiasa-XMLRCS

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      TransportLabel_7685508907_PDF - Copy (2).exe

    • Size

      1.9MB

    • MD5

      c295d1b04c08cca83884279ef5deebeb

    • SHA1

      62589735b49497bfefff8f1e2994ab7bde2b05f7

    • SHA256

      3c22de3eaaaa8896d5d806e8840f6c37957062519614a30bc2c1d1c4dcbfc240

    • SHA512

      0ab11da7595c473aa180c95442a0e302984aa08679cf6ee023813a41de1e880b42c23ab2fd474884c511357b6296dacf60433089fbf2715a07fd2ffd8a3c5ad1

    • SSDEEP

      49152:6QYedNTsjnxf2hp4XLkrhKOekUvUeudcv4aF5P0RuG:6Qpds2hp4XQrhhekUvfud+uRp

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • Creates new service(s)

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks