General

  • Target

    Payroll for July.PDF.tar.gz.exe.gz

  • Size

    4.9MB

  • Sample

    240727-nke56sxcqk

  • MD5

    ef4af5ea8b80cf002900bab6dc1dd4b4

  • SHA1

    78d763bcc44512c23824f12865c2210d3526ef61

  • SHA256

    d456968e124cebb1d526937391ae428f24b925c8dd3b28bb5cf505284053a367

  • SHA512

    d8066d273717ac6618d536bbbf93968d781813bb913487eca9000a875b1060946db147c648e381d627ea58cfa83fbf0f682eaef45ad64f0ff3a2ce252bebabed

  • SSDEEP

    49152:jILm52gH9tPNjLtDgqYQQLg74MmPp1E1TlUQdbKvqsCOP1Ru4JmB/po9c:

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:54888

zuesremmy.duckdns.org:54888

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Z19JY9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Payroll for July.PDF.bat

    • Size

      4.9MB

    • MD5

      221325197f9623e7be8285e05b28c8db

    • SHA1

      e96b0bf85a8b3e9544eed7b2db4db08bbaee5707

    • SHA256

      68711195c07e287987488f7045c7147501ccfbae22318b8460d01a86d2f09599

    • SHA512

      30b445175c2700065cfecc18d839f4129297435f94649fc5f5fdc489a3151e4544abcf40e2923e2d2002e438f6bf03cdc4cdbd21d44344cc2306c25cc401e98e

    • SSDEEP

      49152:qILm52gH9tPNjLtDgqYQQLg74MmPp1E1TlUQdbKvqsCOP1Ru4JmB/po9c4:5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks