Overview

overview

10

Static

static

1

MRP00108 &...87.exe

windows7-x64

4

MRP00108 &...87.exe

windows10-2004-x64

10

Filterintegration.ps1

windows7-x64

3

Filterintegration.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MRP00108SDA00687.rar

  • Size

    623KB

  • Sample

    241209-klfasaslbw

  • MD5

    d2529b6b54c81ad2cfba0b408153510b

  • SHA1

    bf1568d0d90ff4d9e727f577a00ab29b68c2c9da

  • SHA256

    7507bdd2d90113ba83c84b5efe0687f0e28b3909c7ef2d5ff94d2aeb4e3b78be

  • SHA512

    f7f91b3cf99f15984ef57e90fe0bd00651f645d474fa2a24b1dce8022b792a882bb4456e6e7b8fe1297cb3e1edeb0a9d7970e3b8a718cfac367a3ae859c38647

  • SSDEEP

    12288:Nkfo3Kpb1TQX1o/K7g6MTDfM9pRBcgrC1PTLjW/NpGwqKqN3DqsL:NkgObtQX1o/ygzi6PTL2N4rKqtL

Score
10/10
remcosremotehostcollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

157.230.51.65:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-R66R8R

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      MRP00108 & SDA00687.exe

    • Size

      710KB

    • MD5

      9fc11ee03f60a10e4a2f26edbf8fcdaf

    • SHA1

      7ed74a2e69bd49aadc4716a420dcacea97e220d7

    • SHA256

      30d74b831f98532075daed442b93067c7ce8846d7cbd557f43a13922840b698a

    • SHA512

      ee2d8b55b9b2b2d3e5cf867688236299a5585be3a7516dc8027e9965b2ac7354f1bf84fcf9f998af7ed185f8b36bbfd1b1a0e6d5a41b65a6d4ed06f722382adf

    • SSDEEP

      12288:X6qSGX12mgYtQvCOgMAwhsuiB/IhyrWQIUbMZHBeGoOO+XKCR6i0EYuCn0a:HJX1YBvCHMquiBJaQ/eBeGoOOKKCR655

    Score
    10/10
    discoveryexecutionremcosremotehostcollectionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Accesses Microsoft Outlook accounts

      collection

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Filterintegration.Eks

    • Size

      52KB

    • MD5

      b2675a19c8907bdb1caac87a463036ab

    • SHA1

      ce3eb4761dd92a88834851e404952edebac92ff3

    • SHA256

      e55feb751d85c738f96c802c9df5af30ef0722a0af003bdc65826f31c2d0b9cd

    • SHA512

      5d0707af18e5e0790c48c33ab62869cdbba3662de10850368b8a0ad1511896a29ce6f7b1d1daaa45876ce83873d8cef1df592092c07615e7a72dd5d3620a95b4

    • SSDEEP

      768:DfV6aJ4eYCDeA0vC8w56zGmZJCLFm/EHXda1My4bDEh91kQAxKzeWSVlsIkgQSiN:DfV6k4XLK8S6XHENa12bYkQAxK+VlTdG

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks