General

  • Target

    1327f5bded3d1cb76080f55f4a40fd90_NeikiAnalytics

  • Size

    301KB

  • Sample

    240509-2j6hmadh39

  • MD5

    1327f5bded3d1cb76080f55f4a40fd90

  • SHA1

    8aa9964f6c225a5e6d6c6d3582a5126403a85bb4

  • SHA256

    a2435bf76ced4e6349a2de766ec3442caa5b59d31a17dad62d8af4e8e734e97a

  • SHA512

    64d3727780836dc7143efaa2ffe8195303921c11e437b3e03e218a4f082c3ec87e23a6909e4098986c7679bd4e8e95c507fe23938db497d40612c822b093752f

  • SSDEEP

    6144:DRYD3iqZgQMY+eGWygd6vBiCbQ3frTX9YqBXOlk7:ySy3tGidEBiCbQ3TTLEi

Malware Config

Extracted

Family

remcos

Botnet

Attack

C2

block-achieve.gl.at.ply.gg:33723

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    RegAsm.exe

  • copy_folder

    MSDCSC

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %WinDir%\System32

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    save

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-2S2I78

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    RegAsm.exe

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      1327f5bded3d1cb76080f55f4a40fd90_NeikiAnalytics

    • Size

      301KB

    • MD5

      1327f5bded3d1cb76080f55f4a40fd90

    • SHA1

      8aa9964f6c225a5e6d6c6d3582a5126403a85bb4

    • SHA256

      a2435bf76ced4e6349a2de766ec3442caa5b59d31a17dad62d8af4e8e734e97a

    • SHA512

      64d3727780836dc7143efaa2ffe8195303921c11e437b3e03e218a4f082c3ec87e23a6909e4098986c7679bd4e8e95c507fe23938db497d40612c822b093752f

    • SSDEEP

      6144:DRYD3iqZgQMY+eGWygd6vBiCbQ3frTX9YqBXOlk7:ySy3tGidEBiCbQ3TTLEi

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks