Resubmissions

29-03-2024 12:16

240329-pfrh3sgd9x 8

29-03-2024 12:11

240329-pcrdxagd5v 8

27-03-2024 19:52

240327-ylpfcaaf83 10

27-03-2024 19:06

240327-xsc58add5x 10

General

  • Target

    https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

  • Sample

    240327-xsc58add5x

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

nickman12-46565.portmap.io:46565

nickman12-46565.portmap.io:1735

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    Userdata.exe

  • copy_folder

    Userdata

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %WinDir%\System32

  • mouse_option

    false

  • mutex

    remcos_vcexssuhap

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      https://www.dropbox.com/scl/fo/qy2qk79x2gtuwswxjxcla/h?rlkey=9ophpx1zlqaopl8j3d53sf3wi&dl=0

    • Dharma

      Dharma is a ransomware that uses security software installation to hide malicious activities.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • RevengeRAT

      Remote-access trojan with a wide range of capabilities.

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • ModiLoader First Stage

    • Renames multiple (553) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

    • RevengeRat Executable

    • Contacts a large (645) amount of remote hosts

      This may indicate a network scan to discover remotely running services.

    • Downloads MZ/PE file

    • Office macro that triggers on suspicious action

      Office document macro which triggers in special circumstances - often malicious.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Creates a large amount of network flows

      This may indicate a network scan to discover remotely running services.

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks