Overview

overview

10

Static

static

1

CAD_DETAIL...21.exe

windows7-x64

8

CAD_DETAIL...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10012025_1338_09012025_CAD_DETAILS_--Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.xxe

  • Size

    900KB

  • Sample

    250110-q3tgmaxrej

  • MD5

    7e0bfe1cc5dcf87413d2f3360b32a52b

  • SHA1

    452e22356f2d0ad35cf61256d8e7791af4bec0f3

  • SHA256

    788aa5866b08b2cde375e552a28130a12c92cd0d5e034ac9417c6d66ad8f7837

  • SHA512

    7cc71b8301b5bc44a8da86f1b7c41fe004f5fdbf6f0d1de5dd7673241cf7d728b5037aca31700a8aa2ffab3c5286dbbcd2baa45f016ac8503101046f8d4cbdb7

  • SSDEEP

    12288:WazIcUY3JDU7kCUGqFv6ocMqFH/IoH3clppf5AGsyf1nYQCtktoMmH:xdU6J47FqZmH/ZmpN5T3f1nXsktov

Score
10/10
remcosspredecollectiondiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

SPREDE

C2

oaziamaka111.duckdns.org:4689

oaziamaka111.duckdns.org:4688

oaziamaka222.duckdns.org:4689

oaziamaka222.duckdns.org:4688
Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    aleopty.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    deokloksgb-NAYJ41

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      CAD_DETAILS_ Copies_6761fa19c0f9d_293874738_IMG__REF2632737463773364_221.exe

    • Size

      643KB

    • MD5

      5cba30723bcacc171aa6417869f5981c

    • SHA1

      a8abaf40ae64d44f9055d4dd3df2f91ac393ecc1

    • SHA256

      d20dae11fd9de533d5ba84666b26dbf233161d991643d2de08fd043699cddbcc

    • SHA512

      6ebb1d4f664933e6f063759c2a615feb72ef250b5a0ec0f3f9775868bacc661931ee64e9ae943db6f58a43b08eac7350a1f511ebf97620356bc504e81d78c431

    • SSDEEP

      12288:llLIJdKsaouLbYCjUnmITaCQwN44mlIc4G66Jg1KCe4sEftmU3BgKiC:lSJaouPYComqa6fcx66Jg16EfthGC

    Score
    10/10
    discoveryexecutionremcosspredecollectionpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Accesses Microsoft Outlook accounts

      collection

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks