General

  • Target

    f4f4d459698282bc9109716f91cc91fd3b36f363a352c17245c883dbd921fbdf

  • Size

    857KB

  • Sample

    240820-jckcpszdlh

  • MD5

    eedc23b970a3a42043e8d4b1ee76fb9d

  • SHA1

    fe9daa5b63d40ad5b7e18b613194b610c7792ff4

  • SHA256

    f4f4d459698282bc9109716f91cc91fd3b36f363a352c17245c883dbd921fbdf

  • SHA512

    3562456620c5fe085ddbdfa89f61b90f98172b3cca6b2fc813e56ec28b77691458dce19b430b768ec7f2be53bc4c8aaad4651cad52e80bdf7636d7f34dee8dc8

  • SSDEEP

    12288:aeeY86AUjYZ9tDBrp2zc6qyWUIvIGlfqDT6N0XsqVnk2p9g9bz3Cdw7wUvw:abY86ojZlIwgQRUTk2p9glrC

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.210.150.26:8787

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Q4NYK2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      HGA9876700900H2.scr

    • Size

      883KB

    • MD5

      99e294d8f93ad2845be9c68f408e6f0a

    • SHA1

      0df7d97799b61cb82052b2391bc9aa12e3a702f2

    • SHA256

      23b79a548370036ac42a74e0d6e4106f28fce17db08aa91afa095159c86a3171

    • SHA512

      055133fb016b1c6f2df5c7770e4895991c9bc7d355d475f5a259d7f43eb3e85c57024dc7552048c1f27c982e10d82993098cd890e0bc07dc905af6d9131e0a0c

    • SSDEEP

      12288:EsHzOUNUSB/o5LsI1uwajJ5yvv1l2L33jjqJfYDjuN0TsqN5k2/96Nb33qTE7aUt:niUmSB/o5d1ubcvcjjCbuFk2/96l5p

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks