General

  • Target

    r1522024.exe

  • Size

    839KB

  • Sample

    240215-sxjfksaa9s

  • MD5

    35562de1445f84deee725deefe31b410

  • SHA1

    0e8168206e896875cccad315a2890820cae1cf33

  • SHA256

    7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb

  • SHA512

    a4b87335b32d87261eb93c9e5e1187adc752897659d6006e7ccad739ca20b2e80f111b4fd653580945e0664dc9fa3383dee7c8477093e2445b9a2a3f4ffc3fa1

  • SSDEEP

    24576:tMwT8bZSKZ+lKmxUgxDEuZ9WI+spi9iCnqVW:tMwHKi/x4uZ8dr9qI

Malware Config

Extracted

Family

remcos

Botnet

Client

C2

46.183.223.29:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    images.exe

  • copy_folder

    images

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZOAGZI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      r1522024.exe

    • Size

      839KB

    • MD5

      35562de1445f84deee725deefe31b410

    • SHA1

      0e8168206e896875cccad315a2890820cae1cf33

    • SHA256

      7e08d267c3771ac900b9ecfe7b293aa7337a276a5929997180709b74114cdacb

    • SHA512

      a4b87335b32d87261eb93c9e5e1187adc752897659d6006e7ccad739ca20b2e80f111b4fd653580945e0664dc9fa3383dee7c8477093e2445b9a2a3f4ffc3fa1

    • SSDEEP

      24576:tMwT8bZSKZ+lKmxUgxDEuZ9WI+spi9iCnqVW:tMwHKi/x4uZ8dr9qI

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks