General

  • Target

    Salary July 2024pdf.exe

  • Size

    863KB

  • Sample

    240807-k56l3szbjg

  • MD5

    fa7f5341c4ee122c6295e08d04062ac0

  • SHA1

    f479d2673e995cdf233b2fb13aa595cd542ab742

  • SHA256

    c2cf1032ae671d0bcba6d625bc72236b125f864a1bb6114c6b96a8e0c91c6759

  • SHA512

    e3e81f334038fe06fe06c9bea9b7e2549134bb6f7ba6dd06dbaa68fefd26c533a6d0a18b81fdb619a518b2fbce6134484af67851a57ac26d04942ea1469d0de2

  • SSDEEP

    24576:eiUmSB/o5d1ubcvBxuwQYTReNoH+V2uiQd+Dgyx:e/mU/ohubcvBk8Neh0ug8

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.169.175.190:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LBZ2BK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Salary July 2024pdf.exe

    • Size

      863KB

    • MD5

      fa7f5341c4ee122c6295e08d04062ac0

    • SHA1

      f479d2673e995cdf233b2fb13aa595cd542ab742

    • SHA256

      c2cf1032ae671d0bcba6d625bc72236b125f864a1bb6114c6b96a8e0c91c6759

    • SHA512

      e3e81f334038fe06fe06c9bea9b7e2549134bb6f7ba6dd06dbaa68fefd26c533a6d0a18b81fdb619a518b2fbce6134484af67851a57ac26d04942ea1469d0de2

    • SSDEEP

      24576:eiUmSB/o5d1ubcvBxuwQYTReNoH+V2uiQd+Dgyx:e/mU/ohubcvBk8Neh0ug8

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks