General

  • Target

    13112024_0149_OCBC.PaymentAdvice.pdf.exe.iso

  • Size

    76KB

  • Sample

    241113-ccenwsvcrn

  • MD5

    80b5f7eaba74d8d03bdb37e4d2fa3646

  • SHA1

    f12b66daf42c7b886e258a91a507b22ff1a0eb9d

  • SHA256

    ed11a1720faafbb6e931be84e0159e6f57886ccc928e9c1bf007b4c6bf2c4d2b

  • SHA512

    987b82192e52f5f49a62d64aee8e0cebac29842c5366ad72e4132898e29ad745f3643e10a5aa0364e0bd7d0083c98a236c21f9ffb2ed716910d5fb5efe6b7deb

  • SSDEEP

    192:X9q/z/Yk+pxEnFgA/Wh764JziWHCEvNesGIN:X9Q8vpxEnFgf76UvvNesJ

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

204.10.160.239:9682

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-6D4L9S

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      OCBC.PaymentAdvice.pdf.exe

    • Size

      25KB

    • MD5

      3b545f7f4f5f5ae844a1743a51877f45

    • SHA1

      5f423addc5664d4706a7bc1929e2f824848b12a6

    • SHA256

      104b35f5d9c703f0c6b45ce79ec5c7023bf33681c303855ea03ceff56786dcef

    • SHA512

      2b509774413dcb03fc83a82a20039d52f18b769ee83d21c7789628fe3967321479f6b6b11e5fb39740687d9763052188a0ced296679402d7e3f7dd4e449ac10e

    • SSDEEP

      192:8/z/Yk+pxEnFgA/Wh764JziWHCEvNesGIN:q8vpxEnFgf76UvvNesJ

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks