remcos

General

Target

02092024_1446_02092024_Документи (СУД).rar
Size

11KB
Sample

240902-r5legaseqj
MD5

b46ef4a62ad75dc65bb0d55bbfcd59a9
SHA1

fa548688f5ee6924f12363129032694758b23e0f
SHA256

93b777a3bf5c868c9fec5465aa912f79e45589d136cb7e32e74c995ac80c8631
SHA512

5d335ebe155d6bd2058c4a190a817136b1553def0a61c34fce0c0ddb9e82903cc2318f82f5aaa44f404d34b2abaea77650522803fd9cdf7840414724ccf8e347
SSDEEP

192:ZOJmkOQlI4q9JaaGySZajBmVcA82MtwltOI8IXjaywxnXpPuP7CzuWA2r6GrtQ0f:Z2mIldw/KZajBec7wlnXjay6XcTCiL2z

Score

10^/10

Malware Config

Extracted

Family

xenorat

C2

111.90.147.147

Mutex

fjsjhgf

Attributes

delay
5000
install_path
nothingset
port
5652
startup_name
nothingset

Extracted

Family

remcos

Botnet

hst_one

C2

101.99.93.108:2404

101.99.93.108:1723

101.99.93.108:8080

101.99.93.108:8091

101.99.93.108:80

101.99.93.108:465

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
rmc
mouse_option
false
mutex
gdrgfddghgfd-FLRWT9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Документи (СУД)/Копія вихідної позовної ухвали.vbs
- Size
  
  14KB
- MD5
  
  3df171ee8218dc8e8baffe34182d431f
- SHA1
  
  94495da87627355cdbfd2ab36a1d7beced35ec9c
- SHA256
  
  5640cb7c1399cf63031ade147e623ad9f9d63fb350addc550eae4141c2fe4431
- SHA512
  
  cf7e80192f3f6379f13ee867b7248fb7153f2a6be0c6f187876b9a21430f9f2cf82863eeaf50ef35c95742c45a09eeb19d79d4d558fab076c8a6d64f2ffcf319
- SSDEEP
  
  192:vNjEQQX0KGFqxncbke3u9judG27J7FN2IEu/CRRkvO3MZGsugdcGPJZMxu2hlYFH:vNOGtw79jObvFQMIsu0PJmxNSiMFpW8x
Score

10^/10

execution xenorat discovery persistence rat trojan
- XenorRat
  XenorRat is a remote access trojan written in C#.
  trojan rat xenorat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Документи (СУД)/Порядок денний до суду.bat
- Size
  
  13KB
- MD5
  
  22865eb508afb7fabbe06e656568150d
- SHA1
  
  82e2ce104c874210918d8d1b63f663d353d3d7ac
- SHA256
  
  0b6ff11b6bb77a2b5fddd259c021c80096d681e955468e342435ab93d1743cd7
- SHA512
  
  ba8bfab7e32d420c3b38e330f764bea7b2a06d10f2a5880330b16ecdeb2466e52a0661f7559492e97b3825709164f446601db74a6615e0700cdc642a35c3f301
- SSDEEP
  
  192:XlNQXHDDlrxLsbGOlfs/m+jGuqHswuVIJHjMfqxnJvMuz3DPPygGYlp868OwTXY4:3QX2N5FCwuOme0ufy4ioWI7uF4w
Score

10^/10

execution remcos hst_one collection credential_access discovery rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Detected Nirsoft tools
  Free utilities often used by attackers which can steal passwords, product keys, etc.
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral3 behavioral4