Overview

overview

10

Static

static

1

PI-100957R...ce.rtf

windows7-x64

10

PI-100957R...ce.rtf

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    090113047c8231e14489ee51f2b8b2aeb5db34c96eb32dcb0b9552fefd2d110c

  • Size

    966KB

  • Sample

    240827-sa8f7axgrp

  • MD5

    e0b19c0ac46b0bd1ef5532a0934a2ebf

  • SHA1

    ac4efa8a7b95300477a1093300d0f4900f980fa0

  • SHA256

    090113047c8231e14489ee51f2b8b2aeb5db34c96eb32dcb0b9552fefd2d110c

  • SHA512

    e416fa9ec908fd8d7a9e617ef269b776a80eaa7f9eb9aa4e936c9b1fbbeb7e2c2d818c73a150c29f58a574489f19c2660b0c195138b33ae340d2be331e8b488d

  • SSDEEP

    12288:A2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2E2Ee:f

Score
10/10
remcosbcvcollectioncredential_accessdiscoveryexecutionratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

BCV

C2

tvq3101.sytes.net:1974

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9PFUGS

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PI-100957Review invoice.doc

    • Size

      713KB

    • MD5

      75ea30d53407de50f374dcb996d16382

    • SHA1

      de90b4973ff236b3de7f214e3bce17d6d94f937f

    • SHA256

      20f69dbe505beadbb6aa03610ebf58a7b0d6d00adae76225cb381ba4fbaa520f

    • SHA512

      c1778b658736066a370067ea669e1f0e1aa67362d24fa7779c9fdc91b2a12c96f452e39ba374e89799c6138c8e7bf349a8aeecfdb691265a123f84bd0cbbfe2c

    • SSDEEP

      6144:FwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwA9:z

    Score
    10/10
    remcosbcvcollectioncredential_accessdiscoveryexecutionratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks