General

  • Target

    00518a36ae3ed38e2aa8052e48a7bdebf82b192b3b7573ccbffdb574491b2ebc

  • Size

    927KB

  • Sample

    240819-npnywavfmr

  • MD5

    6cf4636edbe546975c6a85c76c654a98

  • SHA1

    c45700793a185e4d6bbd222d412e94395ce1368c

  • SHA256

    00518a36ae3ed38e2aa8052e48a7bdebf82b192b3b7573ccbffdb574491b2ebc

  • SHA512

    6bcb335fdb34c81af396a6810de53c1427b86a798faab13fb1adb4636a5562544d10bf78cccb65886d6f47a7bd36623489f9fbc04bc9166577f28376ba2bc8e1

  • SSDEEP

    24576:M9XHGPzxo4x5wDBKDd3PyiOZENqs8QmOYG:+XHGKGKDBKDd3P9N/8QdYG

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.210.150.26:8787

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Q4NYK2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      SGD987656789000.bat

    • Size

      1.3MB

    • MD5

      94fae522e1da6fb24ab1e360e1ea735a

    • SHA1

      b6653ef066efe1c0b50e4ca555d150af8db5c515

    • SHA256

      a1fd251fdcdb3197e3941e10bb14b9de2a08ecdb2604f94dd9acb40f17e567fb

    • SHA512

      886e9b878dc782a0920b17018a2e511449b4a4b34defcec3ae7a0b69bbcf03ac959b072de2d6cff8a7bd6d4adec704e87415bb2788cb3331e2e894fc5a8945c0

    • SSDEEP

      24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8alSJBWiSfEpog8MqI1:1TvC/MTQYxsWR7alSJB9pZ8Mj

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks