General

  • Target

    Halkbank_Ekstre_20240812_081403_007266.exe

  • Size

    1.0MB

  • Sample

    240815-g9glzazala

  • MD5

    d8aae67ba084ebb898ae31babee967b5

  • SHA1

    6fff9d4cd78a36b477f40f04900bef4fd10dbbde

  • SHA256

    e69cbec2c6a28dca27558736ea04f1b998ed42c2e70cf2934b12330df04bf3be

  • SHA512

    f951b9c8d77e874f151c758211f40c8f0c35167a40669c3211a401dfa9fd0969d3f929ed9a661ef0484a655ec2ddd3bd2e785f18fb7a442c1058541b99e0deb1

  • SSDEEP

    24576:gp2F7Kq76+pIowfeVyiEL+cqyCVpnRbRBsNhlloRA4Enj:F76+pIowXLBhlH4S

Malware Config

Extracted

Family

remcos

Botnet

Aug 13

C2

method8888.ddns.net:6902

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-SYI1YB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Halkbank_Ekstre_20240812_081403_007266.exe

    • Size

      1.0MB

    • MD5

      d8aae67ba084ebb898ae31babee967b5

    • SHA1

      6fff9d4cd78a36b477f40f04900bef4fd10dbbde

    • SHA256

      e69cbec2c6a28dca27558736ea04f1b998ed42c2e70cf2934b12330df04bf3be

    • SHA512

      f951b9c8d77e874f151c758211f40c8f0c35167a40669c3211a401dfa9fd0969d3f929ed9a661ef0484a655ec2ddd3bd2e785f18fb7a442c1058541b99e0deb1

    • SSDEEP

      24576:gp2F7Kq76+pIowfeVyiEL+cqyCVpnRbRBsNhlloRA4Enj:F76+pIowXLBhlH4S

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks