General

  • Target

    30082024_1219_30082024_SALKI098765R400.doc.lz

  • Size

    878KB

  • Sample

    240830-pg6dmatdjh

  • MD5

    b13320b3a2381e25b3392b41691abf6e

  • SHA1

    d9eff981d05d54c0f43e50eba2a6b38a17e98036

  • SHA256

    d8ec15128a2035c5f9b8048a556b27f13e980ec4729f8b0132493fc470661d84

  • SHA512

    bb509b9ce22c5ad248e850db824a0d81f3a3436e24796efb211f66a48b52566da4a240e5789d7b68fe45805527ad69c2f1abae7d1ca94fddb9c738a3bfed015a

  • SSDEEP

    24576:sGo1T0Z2PkspJ3CF9OkoWTleno0XBwlaIFdvnuwx:xOI8J3/cenotamx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.210.150.26:8787

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-NKQ1SM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      SALKI098765R400.exe

    • Size

      1.0MB

    • MD5

      2a2526a15732cd1f3f8859fe3f504cb9

    • SHA1

      53f5eee1f770d79666d7421823f29ee21d8cba3e

    • SHA256

      406306efb272acd3c69ab3b1c1fadea2c41bf817ce71e5872b6ff426248207d5

    • SHA512

      029f573edc92908f027a46d035d0ce6b69f9ac2cd0b82dd1df75bb8ee43a02850e644217fc68d67b4a9633ed408534f7e46896afb7f337b71d9072b5140003d8

    • SSDEEP

      24576:4iUmSB/o5d1ubcvqqJGyUyTlUJS0Xtw5amFnRn2cdB:4/mU/ohubcvqq8oUJS7agd

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Accesses Microsoft Outlook accounts

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.