Overview

overview

10

Static

static

3

554b40336b...e0.exe

windows7-x64

10

554b40336b...e0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0.exe

  • Size

    966KB

  • Sample

    240405-bnx4yagg69

  • MD5

    9beaec299e48eb0072fd6e270d8e8cd3

  • SHA1

    a719b69d48a210af3749bccd27b4ad5185c35d8d

  • SHA256

    554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0

  • SHA512

    d0742bee412db3abdb8ddee99ceaf45721f6c72c2b9044838d755b6e8a51377831177eb087f709efee31dc36871e2e274338734731e3d89519bebfb1e74c0733

  • SSDEEP

    24576:dtHKWYHu2k6ei445zcNjNGbr3SN2jcjR11O7Akmla:7KWYHu2kf745zCa3SN2jcjRuUkK

Score
10/10
remcosbuddycollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

BUDDY

C2

192.210.201.57:52499

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LMLI87

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0.exe

    • Size

      966KB

    • MD5

      9beaec299e48eb0072fd6e270d8e8cd3

    • SHA1

      a719b69d48a210af3749bccd27b4ad5185c35d8d

    • SHA256

      554b40336bad24df88cbde544cdf20d553d02ce7fee5dab9a82318d7c21471e0

    • SHA512

      d0742bee412db3abdb8ddee99ceaf45721f6c72c2b9044838d755b6e8a51377831177eb087f709efee31dc36871e2e274338734731e3d89519bebfb1e74c0733

    • SSDEEP

      24576:dtHKWYHu2k6ei445zcNjNGbr3SN2jcjR11O7Akmla:7KWYHu2kf745zCa3SN2jcjRuUkK

    Score
    10/10
    remcosbuddycollectionratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Detects executables built or packed with MPress PE compressor

    • Detects executables packed with SmartAssembly

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks