Overview

overview

10

Static

static

10

1736062625...ed.exe

windows7-x64

9

1736062625...ed.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe

  • Size

    481KB

  • Sample

    250105-jkw2gaxmhy

  • MD5

    41496241ae1ad7c561d749f7d479caff

  • SHA1

    e2935d471b03f8efc40460d29e2c07ee5a26f8de

  • SHA256

    ad4a934328e699a5065c7c55ab3399d74134b5e97401175948b5296faf98d2a8

  • SHA512

    50f27e89d4167087e60a251189766cabd71e81b52713d99687cf8aa70ceb220c450a175bc1559bd4e981fcb1fe3c4ee59ced8c0501abf5f234f336e318563fe7

  • SSDEEP

    12288:79PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD54j+P32:p43HfwIGYMcn5PJrZa+

Score
10/10
remcoschesguycecollectioncredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

remcos

Botnet

chesguyce

C2

195.133.78.18:7346

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    fyhstga-ONSWMZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe

    • Size

      481KB

    • MD5

      41496241ae1ad7c561d749f7d479caff

    • SHA1

      e2935d471b03f8efc40460d29e2c07ee5a26f8de

    • SHA256

      ad4a934328e699a5065c7c55ab3399d74134b5e97401175948b5296faf98d2a8

    • SHA512

      50f27e89d4167087e60a251189766cabd71e81b52713d99687cf8aa70ceb220c450a175bc1559bd4e981fcb1fe3c4ee59ced8c0501abf5f234f336e318563fe7

    • SSDEEP

      12288:79PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD54j+P32:p43HfwIGYMcn5PJrZa+

    Score
    9/10
    collectioncredential_accessdiscoveryspywarestealer

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Uses browser remote debugging

      Can be used control the browser and steal sensitive information such as credentials and session cookies.

      credential_accessstealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook accounts

      collection

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks