Resubmissions

14-08-2024 22:40

240814-2l2bpavapl 10

06-08-2024 19:59

240806-yqhhlasemd 10

General

  • Target

    39c096e77e2ce57c75d07b577dbf5899b5e883a3d3435a0a3d0313a52718496a.zip

  • Size

    511KB

  • Sample

    240814-2l2bpavapl

  • MD5

    20718a9a3b1507318d9a99040f1a2ba5

  • SHA1

    4bdb164336ee66464a3ddbc973cc853a1d866e64

  • SHA256

    ac43825c40c583e02818f1f76e97376fa1f94451e41acc8ce58afc84f081577d

  • SHA512

    9acb86be09245ac0bf23aafe558704f2b5853624736e85fd23968c0be68abc7db061ae2f07dbd150fa42a6020ad1cdff874b6cc48b4eea8688e88250ae334a03

  • SSDEEP

    12288:OzGmfCoben7YBhCmTkAp3R3KZZwSJJQd08hdh04:OZZOc1plKZsyWX

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.169.175.190:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-LBZ2BK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      39c096e77e2ce57c75d07b577dbf5899b5e883a3d3435a0a3d0313a52718496a.bin

    • Size

      670KB

    • MD5

      31dea80f55b9485ad4dd9a8636b7b12e

    • SHA1

      d6987a2bed5c0af40ffa425a8bcd5960bc2a16b7

    • SHA256

      39c096e77e2ce57c75d07b577dbf5899b5e883a3d3435a0a3d0313a52718496a

    • SHA512

      2cca917add60b40c877a315b50382583c3a6a07055290dfa7345214e6d9cbfe501ef524f65f3427672231b8a241e8ec0394231e1cd0d606baa706bc9e3df84ad

    • SSDEEP

      12288:cu70DgkcKSx+zPDp2eZcnbgvsFxqFGC4SEYSU+9vzqqYVYRDl0u:T4DgksE3ZvvsFxqFX/EYD+1fYVsn

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks