fantom

General

Target

https://bazaar.abuse.ch/sample/32fd435938f24dbcb2c62c4d2fcf0c9ddc109dc35275510b202830d7a119d317/
Sample

240803-nlyznswfnd

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

Fresh

C2

taysour6lakut1.duckdns.org:1960

taysour6lakut1.duckdns.org:1961

taysour6lakut2.duckdns.org:1960

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
mzpos.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
kmgvboirfg-VIHET7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>T5q0ttMmrHOdpvKKxoGU5/THFldjzJQWUF/HkFhzWzAzIi0gErl0E+s1i7d9hlDK1hZh8d6hfneBXXelw8gxTcaUPNJwfq3Dm/Lu7U8tmbphHX8a/8blqDuN8NT+pr4dYoZ+IgZ5NDaJMUwEBjoz6G4Sn/eP1i5bssH/il5Ubn7Nf0xEE8nNXIQxldJm0emFYC0/QhH3nuzHwdrKfkWo8dWavUePzG11b6VbC/TRVw3WN93M0TG8aKnqc5zaAKQpInUOv+wyipRdyvR0nU9OPGqZYMXRgXeOZbNT0u7cciU6DqeEqe8n7rp/bzjnM27pRw5XjGJfXa9BRuAIIWHn8Q==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\$Recycle.Bin\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: BemkQ4awQ8DVjdlew5sSMLCRJQKrMx2pXjLD2yElp2H4SBFRLwHEjXwDQsRMsZJE7uE9ykfelCKbao3aMK2Kzqh+tyWEbsNznJxe5BaN6GNsg4kSTQPM40gx38IHcqcnXXZ/Zp4w+i/Viq2/rA5wxLFoQaDhgO0DuKW34dA0rjrL/f+zl6wyhSkgaPRJstRCn4gLUpy23vPe7jdJVtTUXjHt5lcISRyfeHm4+WUFc0qvYozj3c1c15wukS8F0zoFvsBzlww4XInKwVKnq0ocS4v/IJTVjOLppwiM03bzyAlH1AOVIYOvWlna8COwOVEWzBLZlY/Xz2tqhVhot6zbCw==ZW4tVVM=

Emails

[email protected]

Targets

- Target
  
  https://bazaar.abuse.ch/sample/32fd435938f24dbcb2c62c4d2fcf0c9ddc109dc35275510b202830d7a119d317/
Score

10^/10

fantom remcos fresh collection credential_access discovery evasion ransomware rat stealer
- Fantom
  Ransomware which hides encryption process behind fake Windows Update screen.
  ransomware fantom
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Renames multiple (1026) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
  collection
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1