General

  • Target

    remcos.zip

  • Size

    277KB

  • Sample

    240522-vasrvahe9y

  • MD5

    b6a5b00260a526d5b76281d4036a937e

  • SHA1

    3da32408bc09787b9941726f5804e57c7ecc6460

  • SHA256

    201676cf65cb747e532277d504a1bd958465b6419e2eaf27d0ced7aca1e07320

  • SHA512

    f426089b4717f16f6185f74f9e9a7c44f8364350726a38682a9aeb3ee452c28c09d910ef89d563fc13cb462533ea9677385a9ba3d038f32194d8fe21ada396b9

  • SSDEEP

    6144:3VhjqEf9LkAzlucKYhwG3KhNVRIKQd90bK9OzoLpP:nrf9LksTwtNVILqK9YMJ

Malware Config

Extracted

Family

remcos

Botnet

ZYNOVA

C2

remchukwugixiemu4.duckdns.org:57844

remchukwugixiemu4.duckdns.org:57846

remchukwugix231fgh.duckdns.org:57844

remchukwugix231fgh.duckdns.org:57846

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    lpaowtrts.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    akpleoeurs-QPYUMO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

    • Size

      483KB

    • MD5

      f6118a965e44ee55e708edf7adcdc1df

    • SHA1

      d5ed640efe39c52ed9a08841837654979f38b384

    • SHA256

      0af76f2897158bf752b5ee258053215a6de198e8910458c02282c2d4d284add5

    • SHA512

      7aca0810ffda2d45c44186f8d75e19b446e475879123b46d97ec6fa2fd302b3690d5e0f56c9d5ae8b13a4023f9a92bf4b58c1493f3890b8d302a15a8db0caacf

    • SSDEEP

      6144:8XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZsAX4cNA5Gv:8X7tPMK8ctGe4Dzl4h2QnuPs/ZsBcv

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Tasks