Overview

overview

10

Static

static

3

430010782.pdf.exe

windows7-x64

8

430010782.pdf.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    09122024_2309_09122024_430010782.pdf.Tar

  • Size

    619KB

  • Sample

    241209-25hnpavlet

  • MD5

    ccbdb6c6a58086aa6e0be362b7664bab

  • SHA1

    e9e9b89242827910146eded36daf41bce3dc9c65

  • SHA256

    36c105d0567272f2c86d784c7e7beadc44898152d1413d70fadd93b20f6992c8

  • SHA512

    d0a30e5afa1add70d414d0827a120863653d8f3f2971e0007185f6e03385368b22756607511ea369478d71ce36b9d0c64f9f53caaf18d73fea7802c61a1a4079

  • SSDEEP

    12288:V2HWLkzAScSkujQZqn7Ltql2l/abvRvRaBZDR8l+7lIYZC1CygsK:AHWLkz3cSHSq7R3ibvmDqk7dj

Score
10/10
remcosremotehostcollectiondiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

87.120.116.187:56

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GC7VQU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      430010782.pdf.exe

    • Size

      759KB

    • MD5

      74c8f736d425b1bd2027c2b5b144e188

    • SHA1

      76f160d6c55611b99dcd10f85889957cb867990a

    • SHA256

      293ebd610b0542289ffe9a52cab2c2a434dcff94918045a5ed1497deaee5eb87

    • SHA512

      c859f5d689b168a72db6fc7fec5ed3c2a95cbd51402f0128b5370ec0cd41d73e02f90e3b27b85b8d76c5c0140bd9a6d9341d2422673baa52a5138ff689596162

    • SSDEEP

      12288:0GCX77iIc2b3mMhkApKwjVim+PMpa3oGk6Rcs93tRLPHj6XOahG:qr75cY2vFikV/oGtR193tJPDUOr

    Score
    10/10
    discoveryexecutionremcosremotehostcollectionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

      collection

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      01e76fe9d2033606a48d4816bd9c2d9d

    • SHA1

      e46d8a9ed4d5da220c81baf5f1fdb94708e9aba2

    • SHA256

      ee052fd5141bf769b841846170aabf0d7c2bb922c74c623c3f109344534f7a70

    • SHA512

      62ef7095d1bf53354c20329c2ce8546c277aa0e791839c8a24108a01f9483a953979259e0ad04dbcab966444ee7cdd340f8c9557bc8f98e9400794f2751dc7e0

    • SSDEEP

      96:J7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN738:HbGgGPzxeX6D8ZyGgmkN

    Score
    3/10
    discovery
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks