Overview

overview

10

Static

static

3

Factura (8).tar.lz

windows7-x64

3

Factura (8).tar.lz

windows10-2004-x64

3

sample.tar

windows7-x64

3

sample.tar

windows10-2004-x64

3

Factura.exe

windows7-x64

10

Factura.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Factura (8).tar.lz

  • Size

    588KB

  • Sample

    240906-tdb3tsvejk

  • MD5

    53baf5c9a0c8b13cb0bbdca4cd7cc025

  • SHA1

    3bd3e1996c64620f83a64c826708c33beedcc14f

  • SHA256

    207470c31aebb98487d019c4ca219f77be687bca6c704321066f6b6f31c58d25

  • SHA512

    d712c8d8536555fe420b3a1851c73c8ece0c9dcbf9c583b8a003c76a05392828a8dc9b41bc35443bbdec9a7346df5d5d495c8a839a9c6d4941cdcf051c584068

  • SSDEEP

    12288:Ur52lfmBF12lYaKdlfquhYKJReshs1UsG+16h3O9Mu74Cn8pTm/uxwUbfDp3/:NNGFLL3fqMR1hs1Usu3XsZ8pT7NbfF3/

Score
10/10
modiloaderremcosanyanwu dollardiscoverypersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

ANYANWU DOLLAR

C2

ezeanyanwu.duckdns.org:1941

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-1PA65J

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Factura (8).tar.lz

    • Size

      588KB

    • MD5

      53baf5c9a0c8b13cb0bbdca4cd7cc025

    • SHA1

      3bd3e1996c64620f83a64c826708c33beedcc14f

    • SHA256

      207470c31aebb98487d019c4ca219f77be687bca6c704321066f6b6f31c58d25

    • SHA512

      d712c8d8536555fe420b3a1851c73c8ece0c9dcbf9c583b8a003c76a05392828a8dc9b41bc35443bbdec9a7346df5d5d495c8a839a9c6d4941cdcf051c584068

    • SSDEEP

      12288:Ur52lfmBF12lYaKdlfquhYKJReshs1UsG+16h3O9Mu74Cn8pTm/uxwUbfDp3/:NNGFLL3fqMR1hs1Usu3XsZ8pT7NbfF3/

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      sample.out

    • Size

      1.4MB

    • MD5

      6684ddd4e1abd48a38562b27b031897f

    • SHA1

      671b0c4f734415e56666c8e238b6e63645d4d746

    • SHA256

      d4e1522da41954bace3965a4653d5604f57c4679121d1ea1952a6e00cc50d07e

    • SHA512

      57c773bbae868552871a241c21ee9ab81fbd1fe17db4c6efdba03ed68f95f584bc0a47286837dd59a61a1756120edee83f7b1b24550d7202d5491c7255d7aa91

    • SSDEEP

      24576:x/yPbQ/8GreJLDAvcFz7Q0U3VgAA2gUf3THW09jY86VxOsF:xYuUR7wg0gUf3Dtw

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Factura.exe

    • Size

      1.4MB

    • MD5

      b7ae27c0f9ebaa19934b75ed05cea094

    • SHA1

      4f8be01c46092555a8fe4871e40733b6f29c4c70

    • SHA256

      c84953278a17d52f97efb2a10403d81e4f16e98dab2b4025d7049445e566e893

    • SHA512

      e7585276448216bdd78f136f942d7027b394fdcaf26e655d7672d09254785cb6e457363b475607c810ad956b18af7a7539896e1e4179d11974097f3ebee889de

    • SSDEEP

      24576:X/yPbQ/8GreJLDAvcFz7Q0U3VgAA2gUf3THW09jY86VxOsF:XYuUR7wg0gUf3Dtw

    Score
    10/10
    modiloaderremcosanyanwu dollardiscoverypersistencerattrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • ModiLoader Second Stage

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks