General

  • Target

    a108ae8bd69ac84bc8dd5fa7bdbb6eff9cd65a70c16567e0f36dae1f15d090fd.exe

  • Size

    1.6MB

  • Sample

    240404-cp5e3sca5w

  • MD5

    4e1e0180c5e140946d7970f64e644ac1

  • SHA1

    e5f939a05d817a4b56ef7ec74788ad9ce3b8cb27

  • SHA256

    a108ae8bd69ac84bc8dd5fa7bdbb6eff9cd65a70c16567e0f36dae1f15d090fd

  • SHA512

    f50883d44f5ccdccb9adf9cb6cc3f6c9d6947e9b0f85d7727af151424e54d1f041d3bb6238dd29f27c47ebed20ae7e74187d31b67fd285cc1aa7d28e66204954

  • SSDEEP

    49152:ay6imwGhfj4GBT2z95Zw/L+gwnz1nwyuPTh:azimw4f8iSuD+g

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:44999

127.0.0.1:54991

africarem.duckdns.org:54991

africarem.duckdns.org:44999

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-R571U4

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      a108ae8bd69ac84bc8dd5fa7bdbb6eff9cd65a70c16567e0f36dae1f15d090fd.exe

    • Size

      1.6MB

    • MD5

      4e1e0180c5e140946d7970f64e644ac1

    • SHA1

      e5f939a05d817a4b56ef7ec74788ad9ce3b8cb27

    • SHA256

      a108ae8bd69ac84bc8dd5fa7bdbb6eff9cd65a70c16567e0f36dae1f15d090fd

    • SHA512

      f50883d44f5ccdccb9adf9cb6cc3f6c9d6947e9b0f85d7727af151424e54d1f041d3bb6238dd29f27c47ebed20ae7e74187d31b67fd285cc1aa7d28e66204954

    • SSDEEP

      49152:ay6imwGhfj4GBT2z95Zw/L+gwnz1nwyuPTh:azimw4f8iSuD+g

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Detects executables built or packed with MPress PE compressor

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • ModiLoader Second Stage

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks