Overview

overview

10

Static

static

3

18V4860 TS...el.exe

windows7-x64

10

18V4860 TS...el.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20092024_0757_19092024_18V4860 TS Light Diesel.lzh

  • Size

    844KB

  • Sample

    240920-jtn28awgpr

  • MD5

    cc03071fae7236e98c40469a0ba6aaec

  • SHA1

    1ba5c91b7ad81e11ac3b0af8c7c8f0e84ddbdc82

  • SHA256

    9d531e089d225f7ac68e1f96c5aedd6b624c6eb30a6ce3f7592d05da7dd485a7

  • SHA512

    c58b18bafcb5b144e8a0b9a1b8d829811f8f083512a1cf845e30a0d5ac2b1e9dc49204c5acb9c346babc03f48d472dc0067eb45b96523cb32835fc58761c9585

  • SSDEEP

    24576:KoSpkwbWQ4cyG3Dlzh1mofqu3XZpkFh3ukf:KJrt5WofqIvkFh3

Score
10/10
remcosremotehostcollectioncredential_accessdiscoveryexecutionratstealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.drechftankholding.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    dfgh

  • mouse_option

    false

  • mutex

    Rmc-8J6PG9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      18V4860 TS Light Diesel.pif

    • Size

      881KB

    • MD5

      88ad99bd08e94b721914d8368c3a259b

    • SHA1

      8d6518f2ea260d9835c3ed7190808fc263ed010a

    • SHA256

      4cce5506593907c3db78282849ed41729ca7cf737e1d38cb82dc10e27d92ff16

    • SHA512

      9dece9766da615b5b5b72c1d8167f7c3f54a73d3cc95a024e6b541e7c6c278606d9e8fdba37102cb251ed227a16780630033a6e8dcee9acc075fd417bb8c3e54

    • SSDEEP

      24576:qQ/EymH4hro8jGqj56ulEJ8v+FgFOfY823:3yHGrhGqdFlECv+CX

    Score
    10/10
    remcosremotehostcollectioncredential_accessdiscoveryexecutionratstealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks