Overview

overview

10

Static

static

5

TQW09876545678000.exe

windows7-x64

7

TQW09876545678000.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TQW09876545678000.doc.lz

  • Size

    908KB

  • Sample

    240823-p1181svbkh

  • MD5

    4bf33d6222c54a9e629623a46b2f9c05

  • SHA1

    6113685de1701ed2de301b8568be857cc7a479c5

  • SHA256

    28637cd524ebc38013dcd330e8da17d6fa14b9fab45b7692aa43fa96e75554b2

  • SHA512

    a110021822bfb94d4e019f9688a3ddab692159d6375bb653b3cc821dfd5321a88c8b102e930022d0c155f18ed2d134487b1059d1796c120843fe0ded510462d1

  • SSDEEP

    24576:Uz/CvXcj5FBLJ3YctEHBpaFJsVgPcKw4e1xCsac0wSyYH:UKMj5FL3BEHBpzg0tCsac0nyo

Score
10/10
remcosremotehostcollectioncredential_accessdiscoveryratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.210.150.26:8787

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NKQ1SM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      TQW09876545678000.Bat

    • Size

      1.3MB

    • MD5

      1898db351bd40cc4c836cfff2e21210e

    • SHA1

      d5f6f8b5d7caf9c6e66e4a40733e47060871ee13

    • SHA256

      cc42eb27131410ab64edaf8272078b60fb2d678853d4413274e7b5a7caa5bb8b

    • SHA512

      f09aca517b532d51e706f80dce7b39ff17cbc18af9f3cea57673cf6203bb3e1c7e5398375081c32d20fce1fcc550f7a6af6f797ca425a15017e1ffc9da5f6ad0

    • SSDEEP

      24576:IqDEvCTbMWu7rQYlBQcBiT6rprG8abTIZgdc+C401z8ssG0wCwYE:ITvC/MTQYxsWR7abagC38ssG0hw

    Score
    10/10
    discoveryremcosremotehostcollectioncredential_accessratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks