General
-
Target
11315781264�pdf.zip
-
Size
45KB
-
Sample
241111-va4t4svnaq
-
MD5
c99c163f256e6a7d453d1e16ffe15d4c
-
SHA1
982fdba069751b9a9229b8d08cbf56230e6603d5
-
SHA256
794df456648b056ba688154bd73bbff754c8a7932a9d9dd5b27f4ad6986c60cf
-
SHA512
2940aeb6684e1a765db0b3bcd0afe89bc5e9287aa7530537ff4f117dfe9b4a80c4b36e898e4f59579027eab8e34e5886653df3b28d1b4359ee075ea17c322c7c
-
SSDEEP
768:CSb1CrRDLiXY+gnyfuxlspIL0IQSYSH1OqTJ4sbgQvOY4ljtZonqKgeaJ4VNIK2e:Ch3i0yfXIQEVJTJnxqKgD/BqwqPn
Malware Config
Extracted
remcos
RemoteHost
13hindi4pistatukoy4tra.duckdns.org:47392
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-7IIE67
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
11315781264·pdf.vbs
-
Size
86KB
-
MD5
8b88faca30c1d912d945515b0edce924
-
SHA1
62d5bee19f043112784832da29a423e1a35cdbae
-
SHA256
2a3615e8c977f2a9411c9fef294c7dd53986ce084579340b55977544fc94f143
-
SHA512
be3f1dcdb304cf2e72c9f305cc24c3cb99c6a7579b5d5c69c77f14cdfb12dad82cc3b1ba875d0e94c86cafc740a10a4bfc7eb809c58b9c01ece4dc1fc1e549f9
-
SSDEEP
1536:R70tt9i0kFFGd9p6puoNyVnJrsI/FBqqOkbSApBknXZ8Y4apgi1VdXaAj2LvbAP:RQL9ihHU9Yu4kn1OEDp6nXZ8YjpTVdus
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Remcos family
-
UAC bypass
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
NirSoft MailPassView
Password recovery tool for various email clients
-
NirSoft WebBrowserPassView
Password recovery tool for various web browsers
-
Blocklisted process makes network request
-
Uses browser remote debugging
Can be used control the browser and steal sensitive information such as credentials and session cookies.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook accounts
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Authentication Process
1Modify Registry
2