Overview

overview

10

Static

static

3

ORDER#4510...fs.exe

windows7-x64

7

ORDER#4510...fs.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe

  • Size

    789KB

  • Sample

    240205-ygn9sahabj

  • MD5

    e2889893d75c1ea7bd8982274873b1b8

  • SHA1

    9ebedbf8146b9862503bf3c40239e169b09c67a7

  • SHA256

    5a30a9b801943074fc132f20ab5f77cc2c2bd95ccd76a535b3ad7e8fcf6d1cdd

  • SHA512

    a5c2fa4c73b885dd51cb07a227eb709805ec2d50c20be4f97f363f27dc2dd5377d4da9f695cd075287c50a619823082624a5f01838ae6dc126d4c51a70eb1275

  • SSDEEP

    24576:hMwhWpdsQpT6q3tmxUgxDEuZ9WI+spi9iCnqV+:hMweskT6q30x4uZ8dr9q4

Score
10/10
remcos2024collectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

2024

C2

72.11.158.94:1604

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    vexplorers.exe

  • copy_folder

    vexplorers

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-800RNZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ORDER#4510093083_POs_NEW_MATERIAL_JAN_2024_POs_pdfs.exe

    • Size

      789KB

    • MD5

      e2889893d75c1ea7bd8982274873b1b8

    • SHA1

      9ebedbf8146b9862503bf3c40239e169b09c67a7

    • SHA256

      5a30a9b801943074fc132f20ab5f77cc2c2bd95ccd76a535b3ad7e8fcf6d1cdd

    • SHA512

      a5c2fa4c73b885dd51cb07a227eb709805ec2d50c20be4f97f363f27dc2dd5377d4da9f695cd075287c50a619823082624a5f01838ae6dc126d4c51a70eb1275

    • SSDEEP

      24576:hMwhWpdsQpT6q3tmxUgxDEuZ9WI+spi9iCnqV+:hMweskT6q30x4uZ8dr9q4

    Score
    10/10
    remcos2024collectionpersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks