Overview

overview

10

Static

static

3

PO-33463334788.exe

windows7-x64

7

PO-33463334788.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-33463334788.exe

  • Size

    511KB

  • Sample

    241031-rrve8azgmr

  • MD5

    77a1c8918ae7893671d3dfe3b410a107

  • SHA1

    c863d6378582314b9898054031b0eb7019cff637

  • SHA256

    f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768

  • SHA512

    341f7d0749886c8b9efc4e3a2ec2f99bee712418a338a22261fd20d688ddc327cd80754ca36d5f640395cd87c58624b525b3341ac1beab445f45c6d57f1f27b3

  • SSDEEP

    12288:QXbtieDFJ/9GGYLtORcN1zk2Mt4yGOup8WWfL8s:QXxpDFJ/99Y/WKVbs

Score
10/10
remcosremotehostcollectiondiscoveryratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

23.227.202.197:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-QPTXAI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PO-33463334788.exe

    • Size

      511KB

    • MD5

      77a1c8918ae7893671d3dfe3b410a107

    • SHA1

      c863d6378582314b9898054031b0eb7019cff637

    • SHA256

      f091affa4bfe7b5d24c784295f49ce788032b3dd89b0160e95caca1d08f92768

    • SHA512

      341f7d0749886c8b9efc4e3a2ec2f99bee712418a338a22261fd20d688ddc327cd80754ca36d5f640395cd87c58624b525b3341ac1beab445f45c6d57f1f27b3

    • SSDEEP

      12288:QXbtieDFJ/9GGYLtORcN1zk2Mt4yGOup8WWfL8s:QXxpDFJ/99Y/WKVbs

    Score
    10/10
    discoveryremcosremotehostcollectionratspywarestealer

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      192639861e3dc2dc5c08bb8f8c7260d5

    • SHA1

      58d30e460609e22fa0098bc27d928b689ef9af78

    • SHA256

      23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

    • SHA512

      6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

    • SSDEEP

      192:ljHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZqE0QPi:R/Qlt7wiij/lMRv/9V4bfr

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks