Overview

overview

10

Static

static

3

c5568321b4...cs.exe

windows7-x64

10

c5568321b4...cs.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

1

$PLUGINSDI...er.dll

windows10-2004-x64

1

$PLUGINSDI...ge.dll

windows7-x64

1

$PLUGINSDI...ge.dll

windows10-2004-x64

1

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Milieubesk...rs.com

windows7-x64

Milieubesk...rs.com

windows10-2004-x64

Sabbatters.app

macos-10.15-amd64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

  • Size

    349KB

  • Sample

    240523-sqtyqsff38

  • MD5

    c5568321b40f1d51afac49234d2de480

  • SHA1

    c5169e1d05419bb698b86704ae8f3cbe7011d42e

  • SHA256

    560b3bba2f6d3e74b1901904c7ea9e7c61f94c754e648cb6503abaa233d7c485

  • SHA512

    f15d0141a89e1a6d89b030d10f2e7e60efbf5d2b21a905335f6ba79de8908796bfd4df928f398e984e06a86d3023cde783690843871f222432677dd5a848674e

  • SSDEEP

    6144:wQ606xhLK0o+/zqdPCb3m2aOmjpygIb20PM+Drhvnv/6:wK0bqdM2EVbv3hvnH6

Score
10/10
remcosclientcollectionmacospersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

CLIENT

C2

107.150.18.202:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J3QQTH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      c5568321b40f1d51afac49234d2de480_NeikiAnalytics.exe

    • Size

      349KB

    • MD5

      c5568321b40f1d51afac49234d2de480

    • SHA1

      c5169e1d05419bb698b86704ae8f3cbe7011d42e

    • SHA256

      560b3bba2f6d3e74b1901904c7ea9e7c61f94c754e648cb6503abaa233d7c485

    • SHA512

      f15d0141a89e1a6d89b030d10f2e7e60efbf5d2b21a905335f6ba79de8908796bfd4df928f398e984e06a86d3023cde783690843871f222432677dd5a848674e

    • SSDEEP

      6144:wQ606xhLK0o+/zqdPCb3m2aOmjpygIb20PM+Drhvnv/6:wK0bqdM2EVbv3hvnH6

    Score
    10/10
    remcosclientcollectionpersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/Banner.dll

    • Size

      4KB

    • MD5

      0d5428f7920274caedfa8f2ae980e196

    • SHA1

      ce2ca2381a4b9ed9f06f6af5a183a840de290c3f

    • SHA256

      4083bef584ad6793b3d57e3e3f764a31afac876412df65c5da5afee76bbd1e10

    • SHA512

      78419752f3e6579f7caf1f9bab70a46ac2b0a7c5f08eb8604e927baea611c182133ce8d58929a059f22e6c2befb5ff0c24ee6500d0708bc884a65e395ea7c4cf

    Score
    1/10
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      9436196007f65f0ae96f64b1c8b2572e

    • SHA1

      4b004b5c2865c9450876be83faa8cc96e1d12c01

    • SHA256

      286f246ee18bf91c4a80fa2cdb61077a4bcf0a3fd6582be4b4ab6a5cb3de44c9

    • SHA512

      5c172675fbbea214471ac35eebaa6ab9bd1306268144085adbad3bba4a815430ed028cac169e8b5a6fd00818684f65d7bdd32f11773bc6152e62ef80f895d35e

    • SSDEEP

      96:8egk1LFJaO1/radJEaYtv1Zs4lkL8y3A2EN8Cmy3uT24j7J3kWyy/:t7TJa2roqJyA2EN8diuTHje

    Score
    1/10
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      8b3830b9dbf87f84ddd3b26645fed3a0

    • SHA1

      223bef1f19e644a610a0877d01eadc9e28299509

    • SHA256

      f004c568d305cd95edbd704166fcd2849d395b595dff814bcc2012693527ac37

    • SHA512

      d13cfd98db5ca8dc9c15723eee0e7454975078a776bce26247228be4603a0217e166058ebadc68090afe988862b7514cb8cb84de13b3de35737412a6f0a8ac03

    • SSDEEP

      192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz

    Score
    3/10
    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      82c3f38cd34739872af07443c65d0bd8

    • SHA1

      1f4ee2d394404a291eda6419f856adaf4b960237

    • SHA256

      59cdb2c12d5635fd25af4007b70222507948be41fa9885b7f07967c2510a5311

    • SHA512

      3a81c0613b1ea906ad4f103b02620217de69a8676dbb7ec41cf31f342a0a74562815a8d4f2efe9866fc16365f58524ac71652e99920acea355f020028775743d

    • SSDEEP

      192:ow8cSzvTyl4tgi8pPjQM0PuAg0YNy+IFtSP:lBSzm+t18pZ0WAg0R+IFg

    Score
    3/10
    behavioral10behavioral9

    • Target

      Milieubeskyttelseskonventioners.Com

    • Size

      10KB

    • MD5

      4486b19c9039bce7f7cb4e385ceb77d7

    • SHA1

      abf05caa17da604bb945764f78d72fda513d40ba

    • SHA256

      3e6531b08e539f4d71527a3b6b5ce6934b557e8da67a554d51b6ba122256bb4c

    • SHA512

      6d0409013fc2edb8a1ba573d9c2edd6d490c2d63474adae3876592fb73a9675e400b1a0fae225affeb1752b83d0a29a4846d6270764dab24530a5b58b0b96b65

    • SSDEEP

      192:0fOPCFpkXDR+Zh4S3y8UVoNhZLpDt2KYMa/9y:0fOqi+ZGXopLhtMMaFy

    Score
    1/10
    behavioral11behavioral12

    • Target

      Sabbatters.app

    • Size

      1KB

    • MD5

      6d05f4d490578ac56f35a2fb0fdc48c3

    • SHA1

      98cbe66769dca00383a1e6345a0af8d8f5158802

    • SHA256

      68c60b54d23a7eac7decbd381934147857868b1b5f14a5087cc7d691f68670d6

    • SHA512

      0d038240e209b7b478d66800c76668fe40b10ffca149b1920946fb025ba5f1be9f20cd75e689cae6c9e5d9c2f722bf54b5bc2783602a0379def34be48e6753b5

    Score
    1/10
    behavioral13

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks