Overview

overview

10

Static

static

1

CDE_204485...DF.cmd

windows10-2004-x64

10

Resubmissions

19-04-2024 15:32

240419-syya5agh2t 10

19-04-2024 15:32

240419-symvdsgg9w 3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CDE_2044850790_PDF.Tar

  • Size

    962KB

  • Sample

    240419-syya5agh2t

  • MD5

    ef9596c2f58aea802c4ef5e1b1d7cf45

  • SHA1

    bcc3b63350bb891efa1565d3bfc695c79a9afe88

  • SHA256

    35f299808b22a77def2f1173cda754eaf804771fddd6e024d4d44bd47d8bf03e

  • SHA512

    bf9f83ad21897a5b448d6f3ccb78f25bde477c90b07cdfa435e45490e76365fef9eb441ed02fd9adc4a0512c9e7ecf956c0777d62df5c231643d89ba14f014d5

  • SSDEEP

    24576:eonmjNY3N995kJgUrdU5A8YfZo1wx2UU6SvFjQfF+:eonmy9v5kJgUaO+wxws0

Score
10/10
modiloaderremcosbiggscryptpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

BiggsCrypt

C2

20.121.128.235:4876

20.121.128.235:4834

20.121.128.235:4845

20.121.128.235:4674
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    oooa.dat

  • keylog_flag

    false

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    wwowsasazaza-RIAKS5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      CDE_2044850790_PDF.cmd

    • Size

      3.4MB

    • MD5

      a42a317ed1791e39e4e615e53e3a7566

    • SHA1

      e8da852c8b5fdb181f6f97f2bbef4da40de8b5cc

    • SHA256

      ffd7766f1856786dcb90a9612d7f58d97a6139e34cb7e9cc72848565a5b49433

    • SHA512

      4a154d1fc84f9fda0733901e8455a0b2babfaa51dc122b99b8a4607b81b010e2b7a60bd4cb7a99a1b45c1c63a18594519390726bb772f22d6083785a8870f33b

    • SSDEEP

      49152:XPT9trJgjekSb3rAcSLOffS2HrE4k5oIwxiCuQH/gSzwaqvcpoPpJ6Iinax9TKsq:b

    Score
    10/10
    modiloaderremcosbiggscryptpersistencerattrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks