Overview

overview

10

Static

static

1

Recordator...10.wsf

windows7-x64

8

Recordator...10.wsf

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f0520e6c-3bcf-4221-87fd-08dcec47ca2c.gz

  • Size

    4KB

  • Sample

    241015-j12lwstdnf

  • MD5

    2031552e9e2463f0de5e377085e904a7

  • SHA1

    dd6c10fa324c54473b15cc8bf418568a6fd448e4

  • SHA256

    a36e528ef262a50d1f90bbd43af100f1dbcee3c895b79a88edebf3e555b9079d

  • SHA512

    eea3808455dd735b84067f1337812b7614e9f85b7a641e48a4ff36d960762f98b227bdf405ff0ae31262a73abd784032e3f8e4adc52008ab38b4f305543a48d0

  • SSDEEP

    96:cnkZP60QfVb4OMv/fudmULpigsfmSfLRIfJMyu5QzIEm:yI6zsXh60dam

Score
10/10
remcosremotehostcollectiondiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

kellyjasmine1985.duckdns.org:59111

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-O8Q0QM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Recordatorio de orden de compra - factura numero 2024-10.wsf

    • Size

      8KB

    • MD5

      abe356554178ad255021d0334f8950b5

    • SHA1

      2ab70f593dde24a0bb0b6ad7258069b1735d3889

    • SHA256

      554a5dbed0ecc5f4cceab8042d8d3d2d9587f43507e0150bb3df9f01b4de88d6

    • SHA512

      8d7179a5adbdb097c7d029793b4c72115a0fcace5298e306d5ae6a46107dd3be2f689d385672b4452588a0f3823ac02a2caf2221499791eeff4e3b4280647de3

    • SSDEEP

      192:FF6VUXhzSkGC0aiYrfOFpXyig0rmDMfIwagGgFFAV+:eIjDtOZZfVagbFFAV+

    Score
    10/10
    discoveryremcosremotehostcollectionpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks