Overview

overview

10

Static

static

3

839be5e2a6...2b.exe

windows7-x64

10

839be5e2a6...2b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ab5798ec55efc5f553d4e99996fc42a574ea082e8106d08c5f2b7c6dc2afbac0

  • Size

    893KB

  • Sample

    240417-rvx1hsca89

  • MD5

    3f27e52ced5eb91c2c7c57f1ad8a5458

  • SHA1

    52418081b6b5b22bd7420491a83eb9690b2f6a6a

  • SHA256

    ab5798ec55efc5f553d4e99996fc42a574ea082e8106d08c5f2b7c6dc2afbac0

  • SHA512

    cd1b8f928ad4eb923a015803d32f0a15f989d0f5e80ecc24f7619a134c499971f8fac8d8620b6a97f299d2e75cc63555bfb30b8ab896fabbddd626d6f6e92110

  • SSDEEP

    24576:RLxOw7oJiFvzNLGDID1IZqlC4Wk4O2Wzrtg7:RLs1JuY/u4n

Score
10/10
remcosremotehostcollectionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

paygateme.net:2286

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BDTHCE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      839be5e2a653b3fbd43370403d066b16e4dd22d867997b5156de621f44bf072b.exe

    • Size

      984KB

    • MD5

      3f6158f27ef80630313026f52cac93f4

    • SHA1

      ba374eb42010c5cf44fdc259983dc44442cb0753

    • SHA256

      839be5e2a653b3fbd43370403d066b16e4dd22d867997b5156de621f44bf072b

    • SHA512

      7ce1b216d055a6ae8491d93fab07502646b1a1939e2796005005875405e65ae5a2d97fc7607690ba2d38683678d22206529ad57d26c243e76c695da5b67faaf0

    • SSDEEP

      24576:4Nxc5Gjn6R/TiWtnTS65ox40AjuCDLym06vQvyi3B:CxfjnkOYJ5cbuLyZ9

    Score
    10/10
    remcosremotehostcollectionratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks