Overview

overview

10

Static

static

1

Document B...df.vbs

windows7-x64

8

Document B...df.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    eb88df06fa2f93f3615a04a593ff0c88098a6e4a9d0063dc3cfbd8931f0e625e

  • Size

    46KB

  • Sample

    241112-lnvzpazekc

  • MD5

    cc7b71a27716274190e3716e0d3cc349

  • SHA1

    2b49521f8c1833ceef370033e130f38119fd5163

  • SHA256

    eb88df06fa2f93f3615a04a593ff0c88098a6e4a9d0063dc3cfbd8931f0e625e

  • SHA512

    2ba5d97a1372255b453fbdd61ec5dfbf9551f6844cfb0ae708f9b5a74c855a9bc4883d7d3297fe46ebd56a717f29d66afb0ae3fa2626bc5881c04afad1476472

  • SSDEEP

    768:VEFQOVLjf0gRHK0G7/wpTGnnrqsb7YSxDoVYGrn9mRSRBjPM1VJdw0HwUMg4/1/O:VEqOVLjf0gRHsITGnVYuDoCGbktVJFnj

Score
10/10
remcosremotehostcollectioncredential_accessdiscoveryevasionratstealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dvlqrd8dhs.duckdns.org:46063

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0IGFAQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Document BT24·pdf.vbs

    • Size

      86KB

    • MD5

      acd9a75b2f33064da7ebef088ed16cb9

    • SHA1

      8f51e47a0454c8032e2ecd90f85bb115e80b5f35

    • SHA256

      cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4

    • SHA512

      06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3

    • SSDEEP

      1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk

    Score
    10/10
    discoveryremcosremotehostcollectioncredential_accessevasionratstealertrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • UAC bypass

      evasiontrojan

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

      collection

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks