General

  • Target

    COTIZACIONSyCONSULTA#46789NOV24.bat.exe

  • Size

    696KB

  • Sample

    241113-h6m51sxdqh

  • MD5

    9481aae46f5f383c4cf6e5b3dacd68b4

  • SHA1

    580a6fc8fb6c6609cfcd356e9894cdb5318135ee

  • SHA256

    857596f38c587a4a832bdd9136cc593ab7073ca3bda87b513e4e13ee31af0a32

  • SHA512

    ecc96befec7561eb4e5320f22f48d6fb0ddf837a8ba1eee6b823a80ff81b874f8553ef83001612d31d7a3b4a441e1fed2664ed40e10c72efca8e95a0da1c0b90

  • SSDEEP

    12288:z8bn1Tfr3YmR1j+uP30YcUbA3pPru8escoGcZhAkFN2ZTyWy0ctqhm2V7P:zun1XdRV+u/Lcj3pusccAgN2ZT1HI2VD

Malware Config

Extracted

Family

remcos

Botnet

SLAVES

C2

windowslavesclient.duckdns.org:1604

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J3MJAP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      COTIZACIONSyCONSULTA#46789NOV24.bat.exe

    • Size

      696KB

    • MD5

      9481aae46f5f383c4cf6e5b3dacd68b4

    • SHA1

      580a6fc8fb6c6609cfcd356e9894cdb5318135ee

    • SHA256

      857596f38c587a4a832bdd9136cc593ab7073ca3bda87b513e4e13ee31af0a32

    • SHA512

      ecc96befec7561eb4e5320f22f48d6fb0ddf837a8ba1eee6b823a80ff81b874f8553ef83001612d31d7a3b4a441e1fed2664ed40e10c72efca8e95a0da1c0b90

    • SSDEEP

      12288:z8bn1Tfr3YmR1j+uP30YcUbA3pPru8escoGcZhAkFN2ZTyWy0ctqhm2V7P:zun1XdRV+u/Lcj3pusccAgN2ZT1HI2VD

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Accesses Microsoft Outlook accounts

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      Hypermyotonia/Selvskyldnerkautioners166.Ove

    • Size

      54KB

    • MD5

      dc17cbe567137cd2180d5d9008408c1b

    • SHA1

      f6d6cb48deacb371ae5e948b614216411a957b8a

    • SHA256

      a39ec711eead243210ca0061a2b0365b86f40b5114a4a17286960a36c668053d

    • SHA512

      64bf594a0cee26fbdfafac1d552a7ab4dedbc566fa58d4af1c3bc22a6d11814e0511daed2cb8725b7d3c0a91765a980b2ebc4836c09fad159282db01edb64833

    • SSDEEP

      768:Yl0M2fXsstjro7/vPAGoffMSMNg8NvcJ4b0UnCJTyOOLqOAPRJi4FQmJQKJa8TDS:Ylr+Je7XAGIHMN7c9O/0q4X7DkKc

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

MITRE ATT&CK Enterprise v15

Tasks