General

  • Target

    a9759582589af5604d737887564761c953908d51196e74728f0b2165cf7b1089

  • Size

    1.6MB

  • Sample

    241212-skcr9sxqdx

  • MD5

    cd8bc8c9cb18acfdeee57f8481b93a8d

  • SHA1

    94bd8bf98a8e9c9b2cb4c9afe38e79901f40f537

  • SHA256

    a9759582589af5604d737887564761c953908d51196e74728f0b2165cf7b1089

  • SHA512

    1685e8989763223e0470f77227beef312e350487b58655b9a3efa986db1caa28e1e9a28691d08b74e21cd6ecd20bbb9933a8ffe05a873da75276656c42613bc9

  • SSDEEP

    49152:rgnwGWDbeyp8V1OdGHmoa5FVSokt0kD8tR:UwGepjdGHO5Qyms

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

subddfg.lol:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-A65UIX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Purchase order 202412.scr

    • Size

      1.6MB

    • MD5

      15214c528c41de4d5e542ebd3d4ac075

    • SHA1

      bdab48d323ab0e0c4689061db5fb08adfe1afec8

    • SHA256

      5aeb1293c473a66795bf0ff3a7892e6a6cf70aea5248a38f204632a5fdbe1f63

    • SHA512

      02b6635e4f1a98765e65ee14db0e93ab8dfdf4c7c0086addad86e4a09466ae49dc66accda0bc142828656fca994eb99255ea4c762ffc9f6706410e4877cc9fc2

    • SSDEEP

      24576:t9tWunuwwAghUBUQyXGF8X0VMMOFdYHJStLidtLw8tWVq6VdbcGstKR18+YDQZp:NWtP4+P0Vn+dYHMwwjbV6Gst2aDQZp

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      0063d48afe5a0cdc02833145667b6641

    • SHA1

      e7eb614805d183ecb1127c62decb1a6be1b4f7a8

    • SHA256

      ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7

    • SHA512

      71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

    • SSDEEP

      192:qPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4U:F7VpNo8gmOyRsVc4

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks