General

  • Target

    028be5788093b28cb81278a235abe328ece0264fbcec09e599e9251f0a87e562

  • Size

    893KB

  • Sample

    240417-rvyxtade81

  • MD5

    62405c5a2161f4598fe0fe3341ec276d

  • SHA1

    93311d2e55f23499045ee219817275e8ab9b7c22

  • SHA256

    028be5788093b28cb81278a235abe328ece0264fbcec09e599e9251f0a87e562

  • SHA512

    4a136b73214ea0641d65e0f2af930bae3b1482c76fc24c9f50df57f96b810b664c5d7c418e33e28efc026fd128bd58ef25678f460156fe00df410e147c917580

  • SSDEEP

    12288:eXrU4CWVDl7CSl/CNGtcnBm5C3WQJEYMd0gABNcI4Ynu0TaTtPRO7vHnFHE5pR76:egSblKAl54JEYMdWtnZTSt+vHnBE5PK1

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

paygateme.net:2286

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BDTHCE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      839be5e2a653b3fbd43370403d066b16e4dd22d867997b5156de621f44bf072b.exe

    • Size

      984KB

    • MD5

      3f6158f27ef80630313026f52cac93f4

    • SHA1

      ba374eb42010c5cf44fdc259983dc44442cb0753

    • SHA256

      839be5e2a653b3fbd43370403d066b16e4dd22d867997b5156de621f44bf072b

    • SHA512

      7ce1b216d055a6ae8491d93fab07502646b1a1939e2796005005875405e65ae5a2d97fc7607690ba2d38683678d22206529ad57d26c243e76c695da5b67faaf0

    • SSDEEP

      24576:4Nxc5Gjn6R/TiWtnTS65ox40AjuCDLym06vQvyi3B:CxfjnkOYJ5cbuLyZ9

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks