Overview

overview

10

Static

static

1

SecuriteIn...80.exe

windows7-x64

8

SecuriteIn...80.exe

windows10-2004-x64

10

$WINDIR/co...sy.ps1

windows7-x64

3

$WINDIR/co...sy.ps1

windows10-2004-x64

8

Resubmissions

30-09-2024 11:56

240930-n31jtsyalh 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exe

  • Size

    967KB

  • Sample

    240930-n31jtsyalh

  • MD5

    450228d72f9f726b645c55bbbc6db905

  • SHA1

    b26075c51a4681f2ff7407188f5e9480545a7aca

  • SHA256

    9124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be

  • SHA512

    4795d090447d237cbe1a044ffe78e8cd0c9be358df778673b4713eab2c324056a7701d22b827b95b2413845089fa71ac81a4f47cc8bcdbabad34845e64b4e090

  • SSDEEP

    12288:5Ly0W0exb+S7/6eALmQXhts30QmskXnnAEkINz3WSVgl:5Ly05wCmQXw30Ek3AgNz3Sl

Score
10/10
remcosrem_doc2collectiondiscoveryexecutionpersistenceratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

Rem_doc2

C2

107.173.4.16:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-DSGECX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      SecuriteInfo.com.Win32.InjectorX-gen.20521.11680.exe

    • Size

      967KB

    • MD5

      450228d72f9f726b645c55bbbc6db905

    • SHA1

      b26075c51a4681f2ff7407188f5e9480545a7aca

    • SHA256

      9124d7696d2b94e7959933c3f7a8f68e61a5ce29cd5934a4d0379c2193b126be

    • SHA512

      4795d090447d237cbe1a044ffe78e8cd0c9be358df778673b4713eab2c324056a7701d22b827b95b2413845089fa71ac81a4f47cc8bcdbabad34845e64b4e090

    • SSDEEP

      12288:5Ly0W0exb+S7/6eALmQXhts30QmskXnnAEkINz3WSVgl:5Ly05wCmQXw30Ek3AgNz3Sl

    Score
    10/10
    discoveryexecutionremcosrem_doc2collectionpersistenceratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $WINDIR/compromis/Aerognosy.Res

    • Size

      52KB

    • MD5

      552ed0904239d64db1895620b38dc799

    • SHA1

      8a6a6c6efd31b04c716cde1783b45783f2843e20

    • SHA256

      d4d98fdbe306d61986bed62340744554e0a288c5a804ed5c924f66885cbf3514

    • SHA512

      21f283ac39223437470036ec08eb01bf40c4a0c45ea5b94bb4d902cf66923db4d14641ce68370d240ab2b213527552dfde13eb1ff4b21a0bbf0c1ee6aed7ade7

    • SSDEEP

      1536:Yb2DFjNKjwJJCwZuTEaiwLAm7C24yWjc2:YSrvJEwZtwM6qg2

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

2
T1059.001

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

4
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks