General
-
Target
17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe
-
Size
429KB
-
Sample
241218-1w4n5atkgv
-
MD5
0d323be01f1a4edfd1c8e9f2c344a374
-
SHA1
08a5cd24b9898676c2b6f8a88b5d42027c05085a
-
SHA256
c81c405cc7c101ef8dd7c32a457c69495663f46c6039c5dc38e7e8b485b9840f
-
SHA512
e55cd4dc8c5e24db29f3f2557161af03fd3609474a019fe22285cac04b75878799cdd7ea4e63eafa5fbc75f4318b0d2824a5afd64d8de66c4c0584307dd878de
-
SSDEEP
6144:3+d2+U+8RRJorR7zu6tF9x46YGg83lgnbJHZFXUU01yC5wJ/3AO2HyXGcKcOxuf:3+d3UGddn4F83l0JjXUU0kXAHTceuf
Malware Config
Extracted
remcos
RemoteHost
177.106.216.153:2404
-
audio_folder
MicRecords
-
audio_path
ApplicationPath
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
remcos
-
mouse_option
false
-
mutex
Rmc-GEAZH5
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Extracted
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg%20
https://res.cloudinary.com/dzvai86uh/image/upload/v1734315244/m3gtbqktvnocyvm410aa.jpg%20
Targets
-
-
Target
17345063495d9ff9a239e91022aad8f2d11b89f02854c4b148235396ec7a0562f12ac23b56442.dat-decoded.exe
-
Size
429KB
-
MD5
0d323be01f1a4edfd1c8e9f2c344a374
-
SHA1
08a5cd24b9898676c2b6f8a88b5d42027c05085a
-
SHA256
c81c405cc7c101ef8dd7c32a457c69495663f46c6039c5dc38e7e8b485b9840f
-
SHA512
e55cd4dc8c5e24db29f3f2557161af03fd3609474a019fe22285cac04b75878799cdd7ea4e63eafa5fbc75f4318b0d2824a5afd64d8de66c4c0584307dd878de
-
SSDEEP
6144:3+d2+U+8RRJorR7zu6tF9x46YGg83lgnbJHZFXUU01yC5wJ/3AO2HyXGcKcOxuf:3+d3UGddn4F83l0JjXUU0kXAHTceuf
Score10/10-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Looks for Xen service registry key.
-
Sets service image path in registry
-
A potential corporate email address has been identified in the URL: [email protected]
-
Credentials from Password Stores: Windows Credential Manager
Suspicious access to Credentials History.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Indicator Removal
1Clear Persistence
1Modify Registry
3Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1