General

  • Target

    RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.gz.zip

  • Size

    368KB

  • Sample

    240215-lvgqmsed82

  • MD5

    4eef5f049b1460a12d46ea8edb90db5d

  • SHA1

    727aac60be4870276053d5cf5488b17a5454da48

  • SHA256

    16357a4c23a0ece7480e364245e9c491019c96afe5904eb65f219f8a6b91c611

  • SHA512

    bbe2a4ede0f0715644e7f8b2b75aa2fe74602ba97567116bf7a7a1e3c26e3f8b3d34785ffd594cad5569b76244ed98b406f22bdcbddb958fd4d2a91476464d6d

  • SSDEEP

    6144:1lHGg9qK2+cWOkLdeocehf06IrkmSiwvcG7RJ+bZJ2WIx6QRkmBAjjr+ji:3p9y+FlBo+0Trv9G77+bZJ2WWr6yO

Malware Config

Extracted

Family

remcos

Botnet

3904

C2

72.11.158.94:1604

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    vsystems.exe

  • copy_folder

    vsystems

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BSR5QU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RFQ#RE_Q1_2100006461_SUPPLY_ABB_MATTERIALS_Waagner_Biro_Bridge_pdf.exe

    • Size

      431KB

    • MD5

      2d445bd0fd5ca61eb05f2a293e7e9ecb

    • SHA1

      4728f6650d9658ad6c9db2a1c01c88b0bd9be712

    • SHA256

      c5bbe31a17d4365500acaf7bd2fbfc10f8a0867d650e12b24e22efa239cfdb3d

    • SHA512

      a8939d865005272c265e8c235153bffad905d6cb28aabd9599e707d2e09f55e3fc876d85a68da75947df4af5dde7b2d81916bf5d53e3319194fe2eb16414fd30

    • SSDEEP

      6144:znPdudwDMyZL5OCSAPcWOkhdeocqhf06ITkmSiwvcU7RJKbZJ2AI/6QRkmBWjjr5:znPdjQOFlfoi0TTv9U77KbZJ2AmrYVj

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      4add245d4ba34b04f213409bfe504c07

    • SHA1

      ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    • SHA256

      9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    • SHA512

      1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

    • SSDEEP

      192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks