General

  • Target

    15072024_1334_14072024_Review Invoice 15072024.tar

  • Size

    728KB

  • Sample

    240715-qt7b5awbnb

  • MD5

    0a6420e9c0e983186459c2537bda199a

  • SHA1

    61bd7badb5728c129bc8f274b3787bb2ff387f90

  • SHA256

    7739a700fbce9b89f0aa0ec238298c0c07de9883fd463b20445b6d6f883d5d0f

  • SHA512

    96ccdefe9b4253f5380b4ce15b374aaaa64e15b6934ef22493295b37cada7039fc2f51b032d3f3277f44acc87ec3bd4f2e4ba9c9c649f74de52a54fed62578e2

  • SSDEEP

    12288:0Ghobbtqgy0yCGOrKNjg3Qh3rXzSb5t6gNXJgDh/+wwbmP/fF0/OUWbI:29qgxGnjh3rgfzkiu/kOUWs

Malware Config

Extracted

Family

remcos

Botnet

WEALTHBOX

C2

janbours92harbu03.duckdns.org:3980

janbours92harbu03.duckdns.org:3981

janbours92harbu04.duckdns.org:3980

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    sburtts.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    ghnghoe-ACVPA3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Review Invoice 15072024.cmd

    • Size

      1.6MB

    • MD5

      8043ccab76e981b8d581cb7636c94606

    • SHA1

      080c190cab8205ec507f328da0a807284628e1a6

    • SHA256

      2c9f05dbca2a6a28c5f2b39f1e236f5a379fa268cdcf27e031721c9f0fe91552

    • SHA512

      fbf807b7a0a586eac4e2de12c274120ac133c5abe1b6369e17741146330fc4dd3dbbb7c2a7817654b350442a99470a157cbf04aed804a4d0d4e6d5509fc806cc

    • SSDEEP

      24576:ZzMVPKmB/+fFOTQEKf99+VcJWn8wWgpQu/w/5tLw:h6BWFUkqVK/52

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks