Overview

overview

10

Static

static

3

APPENDIX F...om.exe

windows7-x64

10

APPENDIX F...om.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    APPENDIX FORM_N°45013-20241120.com.exe

  • Size

    681KB

  • Sample

    241121-nfmdpa1qhw

  • MD5

    cf4530628bdb401e066ea81e86403d77

  • SHA1

    b929d4f89e537b8f932bebc75df0959ef9b406ee

  • SHA256

    e721952c765bb39555f2aa9f2141649fe2c1f2700224513c2860c8a7e25d2260

  • SHA512

    ab29e221be8b0b8318ebcd97d638034bf80368221713e15b3b016a0aa42f2f142c2ce2de68d3eb8a99a6d65e43a6268ea1a4db0f7436f6bcc5ff0e222c691d4a

  • SSDEEP

    12288:+3vFfP1t7YQ6RTw6F+i4nGxcigHvPyagJQMzoocD/f9Lw:A1r7YQ9lcc9Hv0QMzoZpw

Score
10/10
guloaderremcosremotehostcollectiondiscoverydownloaderratspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.133.158.36:11371

45.133.158.36:10051

45.133.158.36:10050

45.133.158.36:24554
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-CDCZ2K

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      APPENDIX FORM_N°45013-20241120.com.exe

    • Size

      681KB

    • MD5

      cf4530628bdb401e066ea81e86403d77

    • SHA1

      b929d4f89e537b8f932bebc75df0959ef9b406ee

    • SHA256

      e721952c765bb39555f2aa9f2141649fe2c1f2700224513c2860c8a7e25d2260

    • SHA512

      ab29e221be8b0b8318ebcd97d638034bf80368221713e15b3b016a0aa42f2f142c2ce2de68d3eb8a99a6d65e43a6268ea1a4db0f7436f6bcc5ff0e222c691d4a

    • SSDEEP

      12288:+3vFfP1t7YQ6RTw6F+i4nGxcigHvPyagJQMzoocD/f9Lw:A1r7YQ9lcc9Hv0QMzoZpw

    Score
    10/10
    guloaderremcosremotehostcollectiondiscoverydownloaderratspywarestealer

    • Guloader family

      guloader

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      960a5c48e25cf2bca332e74e11d825c9

    • SHA1

      da35c6816ace5daf4c6c1d57b93b09a82ecdc876

    • SHA256

      484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

    • SHA512

      cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

    • SSDEEP

      192:jVL7iZJX76BiqsO7+UZEw+RlthVEoC0O3XB:g7ssOpZs/hS3X

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks