Overview

overview

10

Static

static

3

0028BGL880...DF.exe

windows7-x64

10

0028BGL880...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0028BGL880-2024.PDF.exe

  • Size

    1.6MB

  • Sample

    240403-tdxpjafe98

  • MD5

    eac95a52ac634d3ea75387201a2c749c

  • SHA1

    e808ef56d1b382b1e01e16af299a548cb038f52c

  • SHA256

    f7f1798e3d66880f2cb35f6764a1c32902abb3ce7ceafe0bc049496ca9161e63

  • SHA512

    6ae5883a1cb8aaa42abc0c8bbfeba2715086ec39ad2028937600b2c925b3093070a72531e4e5abf2d4dafb00bcbab8c2fd5f97aae590dd87645befc27701d346

  • SSDEEP

    49152:ay6imwGhfj4GBT2z95Zw/L+gwnzFnwyuPTh:azimw4f8iSuD+g

Score
10/10
modiloaderremcosremotehostcollectionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:45671

127.0.0.1:55677

192.3.101.8:55677

192.3.101.8:45671
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-2P1XPK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0028BGL880-2024.PDF.exe

    • Size

      1.6MB

    • MD5

      eac95a52ac634d3ea75387201a2c749c

    • SHA1

      e808ef56d1b382b1e01e16af299a548cb038f52c

    • SHA256

      f7f1798e3d66880f2cb35f6764a1c32902abb3ce7ceafe0bc049496ca9161e63

    • SHA512

      6ae5883a1cb8aaa42abc0c8bbfeba2715086ec39ad2028937600b2c925b3093070a72531e4e5abf2d4dafb00bcbab8c2fd5f97aae590dd87645befc27701d346

    • SSDEEP

      49152:ay6imwGhfj4GBT2z95Zw/L+gwnzFnwyuPTh:azimw4f8iSuD+g

    Score
    10/10
    modiloadertrojanremcosremotehostcollectionpersistenceratspywarestealer

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • ModiLoader Second Stage

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks