Resubmissions

30-07-2024 06:50

240730-hmbymsvcrl 10

29-07-2024 09:34

240729-ljzgbawaje 10

General

  • Target

    29072024_0934_29072024_Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-29.PDF.tar.gz

  • Size

    526KB

  • Sample

    240729-ljzgbawaje

  • MD5

    90a8c5510480fb8e736499f5a5b2a74b

  • SHA1

    a99765aacccb88fa9261991d2310582467a60b50

  • SHA256

    e651929d200f1c483ac575e1984e364ec838f75b522c3c62e692f20608ea260a

  • SHA512

    f5ef246391d88ffaf1aeaad1b48f30cae66026baed7977b12ec3a75f8ab7c0513ae003d5c60343a8bcf289dc74b8b0a8d626df795c77912b47067ef1015f7064

  • SSDEEP

    12288:6UYak7qbBEwCTgB0vOiNsi4djA1A1jOhqlRhtxHh+N5k:os3CTgyvn4lAG1CKf+N5k

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:45645

127.0.0.1:56765

mypersonrem.duckdns.org:56765

mypersonrem.duckdns.org:45645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZGTK2C

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Scan_SKMBT_EPDA _ SOA_Payment Reference TR-37827392-2024-07-29.PDF.exe

    • Size

      1.1MB

    • MD5

      7d8f742f61cdcf07f87403db8b3ddaed

    • SHA1

      0991fd8f4c020ceff16306f74c7416034691bf1d

    • SHA256

      14b2d55f02369c078f2a3da33a0b5e963c76b3deb1b000b6e664bd87a97ddc24

    • SHA512

      87abea135f53040901c202aa8eea7cba85a92aab347dad64bbf613a646edc038083301f44cb49b53ddf69e6b7b5cc31068fc427eb1c934caed9aadb4ef03d227

    • SSDEEP

      24576:eMYsrqeco9CxAQgacj6C0aZfvgI7AMMeljMnqH1:eMO0Dj67aZ3AMMg1

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks