Resubmissions

30-11-2024 11:20

241130-nfmpfssmhx 10

30-11-2024 03:54

241130-egqm3avqhq 10

General

  • Target

    30112024_0348__89004161-000002102-66_20241128pdf.vbs.zip

  • Size

    19KB

  • Sample

    241130-nfmpfssmhx

  • MD5

    cc231be3ce4a2c607b3161bff7ec88b0

  • SHA1

    0b31aaff49de78dd131a44a7aaaffe37cce5384e

  • SHA256

    1fc6fbf92722053225d14b53d960a903f9ff7b1cf4bb2f626634af38f31d333c

  • SHA512

    54b44c917714f1a1713723cec1f6a766eba35be2e31f048b8fe17adb2dfd93ff68f4c37ca0a5a59cdf3fcfded8b49e22e4bc50893557ad5f969636b3baa1ee50

  • SSDEEP

    384:kYrxHAkWSLRGiYvuOcw1Ps39ZevDRs4I5YTWe4d21GgsFyp7WqlsxcFIyCaN:lhAZSLVY40Ps3Dc99I5Q10FQaEs+rN

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

8766e34g8.duckdns.org:3782

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-93TSMD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      證據_89004161-000002102-66_20241128·pdf.vbs

    • Size

      33KB

    • MD5

      b87c82bba48c44f8fc387ecd6100ff0e

    • SHA1

      2cdcb7b8b4f5a8b0501a121b6b4264aa7c6b2f57

    • SHA256

      20100ee5a74b50849ea1a00363a6751320c9aab43ba31859f79147af1b56b509

    • SHA512

      442d105706dcc997c39a141d7a944bbb961e8948d15caee81814f1a6d6245e46b00bf98e893c1623bd92b12b1ac440432fd26f4fd9166c5ffea8ac9a575af189

    • SSDEEP

      768:5KSasMUqkx36r142byXNoPNhZqpCtHki2ynMVVX09rkFJC:ISas/RF6hWyPN/MbZ09oFM

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Network Share Discovery

      Attempt to gather information on host network.

    • System Binary Proxy Execution: Verclsid

      Adversaries may abuse Verclsid to proxy execution of malicious code.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks