General

  • Target

    ggsploit V1.2.1.zip

  • Size

    3.5MB

  • Sample

    241001-ykzvpa1drc

  • MD5

    4e3aee034b8f8bdc292eb70246b61b70

  • SHA1

    9510541cae448cd647462524dadb7c6764f3fde4

  • SHA256

    5a98da432ac4056a1843d19aa1c409f6cd56e5bf830c6fad8cd12f93f418095e

  • SHA512

    41f61ab6a9c09c6bfbc7d677a8fbcaed2a9db2aff2bf16c1f7d8bc566eff55c7d99be5bb66a1fb1ed74e51351e671cf18c61109229282aacffac9754ca07ceb7

  • SSDEEP

    98304:ZDH4uGXfFnCC1a+uuR1SVBoLv9xG0bW11qIL2ysuKZLxp2cY+c68Ee:RYfX9tPuOOFjsuKBf2N+cZEe

Malware Config

Extracted

Family

remcos

Version

5.1.3 Light

Botnet

ggsploit 1.2.1

C2

127.0.0.1:4444

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-XXOAKC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ggsploit V1.2.1/download this if you dont have roblox.exe

    • Size

      6.5MB

    • MD5

      bfbd6cc26087166af3a64398260ead58

    • SHA1

      c50f08bffce2a709dee9af3ae6b96bb482abd4f9

    • SHA256

      95c5f519a5f729ec1205f9f1c69b3e370e468ed5d1c7675502a9c9ef227509c9

    • SHA512

      c23683291b4b0e0f555fd715ba6e685faa5a952df95c70df69010e2f6c9f0fd7f593f030fab068207ff97583e049b52674e85bd41fc5901f817b4ec080d945e3

    • SSDEEP

      98304:Uzvc3x0eU5N2T3pPB7nwQgy8p6JULNTY+sgrYBhiZUHKRmGO5Z/WtFmN:0c3fU5NeRuEYNUgrZTRm1Zutg

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      ggsploit V1.2.1.exe

    • Size

      430KB

    • MD5

      83935216d149d4c0c56470031c9d5d92

    • SHA1

      5b4cb9c1489513e81b744739b6ea96104dd71d0d

    • SHA256

      7d1ac05427230f66167d1537a39e6433fe9279550440584ac82e66198e7c44e7

    • SHA512

      15f774d34552e73337d45dead380587dfe035b7399a8c23eee55b4c1e7c4e80cf7cf028761ff4365d66bb4bd4be327ac73b3e25fb0a022bfa7161ac065fd2317

    • SSDEEP

      6144:cvRscHtVzjwIRFzJZ2p26+jFWXYnj9iT2ebvXmUcCqkmAO2rjXH7ycDZ3:cvRs4OIm2hWX4U2ebvRUAr77T3

    Score
    3/10
    • Target

      unins000.exe

    • Size

      436KB

    • MD5

      b2aebff3474de2fdb3be48ee268f2bec

    • SHA1

      8feaa6c4509151ef28f48a9b3c09fee15eeccebe

    • SHA256

      023ddfff2ddaaa3bce687e393457bd993a94eae81b76d67e9f50e14c024c0e96

    • SHA512

      a59ac5bd5e6d17446486575422ed6e05b95a34e1187dcf14d613d7ce30508cd5a365c9e13e311905e7d8801e20cb83822c4bec67322d580e8195b5f3fc97f39e

    • SSDEEP

      6144:5vRscHtVzjwIRFzJZ2p26+jFWXYnj9iT2ebvXmUcCqkmAO2rjXH7ycDd3:5vRs4OIm2hWX4U2ebvRUAr77/3

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks