Overview

overview

10

Static

static

1

DOCUMENT77...@#.exe

windows7-x64

10

DOCUMENT77...@#.exe

windows10-2004-x64

10

Patientern...ne.ps1

windows7-x64

8

Patientern...ne.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DOCUMENT77@#$@@yyy#@#.exe

  • Size

    946KB

  • Sample

    240219-l8jgdscb8v

  • MD5

    201947fbb912ee8c0f7eadb620188bef

  • SHA1

    5842ca1cd58283eeda5b1fed41053bd05e660e62

  • SHA256

    a7e9fbef84a3e14d5e801f2004d75a47032df8fbb9da9dd86071098eeaf6a2d4

  • SHA512

    2a2d04a45fddeee1c301ef4d76ec9ae7a277977c500d887ce520e81f112d1a5d105052c37aee32faa7368f92904d8ebb7d12944a5083a93a9c5033898804a584

  • SSDEEP

    24576:pcx2PNShI959J60rmLPOWTaUHrFAgxKFdtuw:pcxsSMKSMWYdHrFly1

Score
10/10
remcosspecialcollectionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Special

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    lonjoup.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    lpereits-FZGND0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      DOCUMENT77@#$@@yyy#@#.exe

    • Size

      946KB

    • MD5

      201947fbb912ee8c0f7eadb620188bef

    • SHA1

      5842ca1cd58283eeda5b1fed41053bd05e660e62

    • SHA256

      a7e9fbef84a3e14d5e801f2004d75a47032df8fbb9da9dd86071098eeaf6a2d4

    • SHA512

      2a2d04a45fddeee1c301ef4d76ec9ae7a277977c500d887ce520e81f112d1a5d105052c37aee32faa7368f92904d8ebb7d12944a5083a93a9c5033898804a584

    • SSDEEP

      24576:pcx2PNShI959J60rmLPOWTaUHrFAgxKFdtuw:pcxsSMKSMWYdHrFly1

    Score
    10/10
    remcosspecialpersistenceratcollection

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Patienternes/Wowserish/Biorytmeekspert/Rosenbrdene.Unt

    • Size

      48KB

    • MD5

      e2afce5a93604fa3c296d870c910fa5b

    • SHA1

      20d1c2841bdab28d025c68fd4992376be2542f9e

    • SHA256

      03836bcfc2896a835b714eca8a21ae7f6b5bdedeedd5d3f92b916ff576402a03

    • SHA512

      2c112b710a4697a29975733317a18b57d140a5656ef97e69243c547a2b727d7b1f0c8b385ccb75ee92c3c0f99cb6d3e3cfa19006e16d07fd4e11efcc94faf3d1

    • SSDEEP

      768:gJj8g4er4bsk9LIF/vV03U57kmUrgmFeAKKEHwPlHcjI2WcY9g/FQtsCggjhFAmr:Oj8JeadIF/903UK6AKRHI8M2Wltn3jTJ

    Score
    8/10
    persistence

    • Modifies Installed Components in the registry

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

4
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Peripheral Device Discovery

2
T1120

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks