General

  • Target

    b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602.exe

  • Size

    619KB

  • Sample

    240724-danpfstglj

  • MD5

    eecdcad7501f2a7308d40820445e2aa9

  • SHA1

    898a2f518726c6866ebd3583b634d8c0043f543d

  • SHA256

    b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602

  • SHA512

    ff0c5db3c2fc1a8db8a536bcedcdb7406841d74400e3246fbbbea2450f5ed336257ec0b01d616105f0650f9e0be9bda93dec037f56b6845044146c8909cc4d05

  • SSDEEP

    12288:7T5tGDZWWO4K0GFYSE+ZAaDNtde8N1LGayE3cqU2ricGtq:7T5QDZWb4K0GFYCZA4tde863Ew2G0

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.80:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WVQ56B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602.exe

    • Size

      619KB

    • MD5

      eecdcad7501f2a7308d40820445e2aa9

    • SHA1

      898a2f518726c6866ebd3583b634d8c0043f543d

    • SHA256

      b5aefdeb0f451c2edd13b5d42cb64234f5b513997af891ae3f5c187d15701602

    • SHA512

      ff0c5db3c2fc1a8db8a536bcedcdb7406841d74400e3246fbbbea2450f5ed336257ec0b01d616105f0650f9e0be9bda93dec037f56b6845044146c8909cc4d05

    • SSDEEP

      12288:7T5tGDZWWO4K0GFYSE+ZAaDNtde8N1LGayE3cqU2ricGtq:7T5QDZWb4K0GFYCZA4tde863Ew2G0

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      7KB

    • MD5

      84bcbefa5fe3d82647a15f135f22fb2a

    • SHA1

      7c23a0c1a8b185f5af456dafa63a3c1207d8c1dc

    • SHA256

      14ebfa0711b48ec748b6e4985db4b99a827996ae44b28122d16f14d0d0f51bb6

    • SHA512

      c0e4ca46be6892b2cec77992e809897bcb768e3436d9bd81e4f84f4f1da9ef123ae902783147d263ac8019c732f131654694ad4105888c1f310c7bce8844b7dd

    • SSDEEP

      96:0Vl/7KOuFlKHMpXGu8FX6eT3sQk1u2QmIG4fa9IJ4V:0Vl+hSs2u85TTHkZQmgy9I0

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks