General

  • Target

    5-22 - Re-Schedule Notice for (HTW) EVER FRANK 1346-018E (TWTPE) - SO#C348.scr

  • Size

    926KB

  • Sample

    240522-l6qgxsbd46

  • MD5

    1784f051e12e25d36f33965d1a32f806

  • SHA1

    b51d7cba074c043b543a537db2743566fa3ba0ac

  • SHA256

    ac28e104b06d7025bab07468070e74b3ea0017b34d25e48150b6c55f8ffda4bf

  • SHA512

    a741dd7b19fab2192786b64df250adf5ab1538d2645f4c6986d5048a5ded901df5c09f24e39450c43a0eafcd09a1023533de96bbfaf4933bd1377068d81f8766

  • SSDEEP

    12288:i3X4MaU+3Rk/T2xi/tRBd1XRbiacwiy75UZN7I7L7Zu28C//rBA0Rt:EsU+aqxi/vBnAx5ao8nEC//rC0R

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.250.180.178:7902

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Microsoft .exe

  • copy_folder

    Microsoft

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Microsoft -QUCX7D

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      5-22 - Re-Schedule Notice for (HTW) EVER FRANK 1346-018E (TWTPE) - SO#C348.scr

    • Size

      926KB

    • MD5

      1784f051e12e25d36f33965d1a32f806

    • SHA1

      b51d7cba074c043b543a537db2743566fa3ba0ac

    • SHA256

      ac28e104b06d7025bab07468070e74b3ea0017b34d25e48150b6c55f8ffda4bf

    • SHA512

      a741dd7b19fab2192786b64df250adf5ab1538d2645f4c6986d5048a5ded901df5c09f24e39450c43a0eafcd09a1023533de96bbfaf4933bd1377068d81f8766

    • SSDEEP

      12288:i3X4MaU+3Rk/T2xi/tRBd1XRbiacwiy75UZN7I7L7Zu28C//rBA0Rt:EsU+aqxi/vBnAx5ao8nEC//rC0R

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks