Overview

overview

10

Static

static

3

c6e661d982...32.exe

windows7-x64

10

c6e661d982...32.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL Twitter E-mail

General

  • Target

    c6e661d982981e4de5cbcba98e28bac1aa3a9518d4e5c605680480962f917c32.exe

  • Size

    411KB

  • Sample

    240604-pea5psff9y

  • MD5

    1799424409d5e0099fa315a0aa11b36a

  • SHA1

    53007977e7eda1a6ab8cddfe2a7d882b8eb820b4

  • SHA256

    c6e661d982981e4de5cbcba98e28bac1aa3a9518d4e5c605680480962f917c32

  • SHA512

    3c37a3c61575425d5c8636bc81ea91c23e9ee4243d9517cdd70c78139c3f9a531b265ae87f0cdcb7ab2e81edcdbe10f273af042a507cfc021adadd75b9450b3c

  • SSDEEP

    6144:Y7eCd6puQeCTGkiq0DYhgmZ0uPNrCSlbYnVannn/hygOdtUwj0TnmuqXdy:6PqGZSPNm+bYnVa/hygoRu6XU

Score
10/10
remcosclientcollectionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

CLIENT

C2

107.150.18.202:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J3QQTH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      c6e661d982981e4de5cbcba98e28bac1aa3a9518d4e5c605680480962f917c32.exe

    • Size

      411KB

    • MD5

      1799424409d5e0099fa315a0aa11b36a

    • SHA1

      53007977e7eda1a6ab8cddfe2a7d882b8eb820b4

    • SHA256

      c6e661d982981e4de5cbcba98e28bac1aa3a9518d4e5c605680480962f917c32

    • SHA512

      3c37a3c61575425d5c8636bc81ea91c23e9ee4243d9517cdd70c78139c3f9a531b265ae87f0cdcb7ab2e81edcdbe10f273af042a507cfc021adadd75b9450b3c

    • SSDEEP

      6144:Y7eCd6puQeCTGkiq0DYhgmZ0uPNrCSlbYnVannn/hygOdtUwj0TnmuqXdy:6PqGZSPNm+bYnVa/hygoRu6XU

    Score
    10/10
    remcosclientcollectionpersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      fbe295e5a1acfbd0a6271898f885fe6a

    • SHA1

      d6d205922e61635472efb13c2bb92c9ac6cb96da

    • SHA256

      a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    • SHA512

      2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    • SSDEEP

      192:yPtkiQJr7V9r3Ftr87NfwXQ6whlgi62V7i77blbTc4DI:N7Vxr8IgLgi3sVc4

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks