Overview

overview

10

Static

static

1

DOCUMET788...@!.exe

windows7-x64

8

DOCUMET788...@!.exe

windows10-2004-x64

10

Flanr.fje

windows7-x64

3

Flanr.fje

windows10-2004-x64

3

Krieker213.ps1

windows7-x64

3

Krieker213.ps1

windows10-2004-x64

8

Modisterne.pse

windows7-x64

3

Modisterne.pse

windows10-2004-x64

3

Uncleanness.eug

windows7-x64

3

Uncleanness.eug

windows10-2004-x64

3

dendropogon.txt

windows7-x64

1

dendropogon.txt

windows10-2004-x64

1

hjemstedsk...ne.cel

windows7-x64

3

hjemstedsk...ne.cel

windows10-2004-x64

3

olieraffin...rs.fat

windows7-x64

3

olieraffin...rs.fat

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DOCUMET7887RAMADA@#$@!.exe

  • Size

    1.2MB

  • Sample

    250116-kw5nessmhv

  • MD5

    6dbfced7845c936a56c3685329dc24d9

  • SHA1

    416db985d9b8defa1b99d17956aae3d767d9d92b

  • SHA256

    304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f

  • SHA512

    9ca83f6d19299abdfa872713d3646737e6319ef4c422d0af7c9bbd237a199f058126f05a451c91057970ac000d885b35b34fd3d46307947ee67847af6dca96f4

  • SSDEEP

    24576:myZDPLNLlTznkEU9gld5cYSOXQkPoNW+8pwcyLy2wFV3y:PrLlTgEcgzXX1PYAFn3y

Score
10/10
remcossentdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Sent

C2

haleleeh8iuoty1.duckdns.org:8347

haleleeh8iuoty1.duckdns.org:37830

haleleeh8iuoty2.duckdns.org:8347

haleleeh8iuoty3.duckdns.org:8347

haleleeh8iuoty4.duckdns.org:8347
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    kmirtup.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    aksoetuise-Y9DD4X

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      DOCUMET7887RAMADA@#$@!.exe

    • Size

      1.2MB

    • MD5

      6dbfced7845c936a56c3685329dc24d9

    • SHA1

      416db985d9b8defa1b99d17956aae3d767d9d92b

    • SHA256

      304947e91f66751b25d0899c7b9feffe43a5620b13fd5de4a8c5642d638ce45f

    • SHA512

      9ca83f6d19299abdfa872713d3646737e6319ef4c422d0af7c9bbd237a199f058126f05a451c91057970ac000d885b35b34fd3d46307947ee67847af6dca96f4

    • SSDEEP

      24576:myZDPLNLlTznkEU9gld5cYSOXQkPoNW+8pwcyLy2wFV3y:PrLlTgEcgzXX1PYAFn3y

    Score
    10/10
    discoveryexecutionremcossentpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Flanr.fje

    • Size

      331KB

    • MD5

      06acea567a0ded05680dbb9de58d0311

    • SHA1

      e84e2cde7049ce616b5cc579ce4b4d837423e586

    • SHA256

      fd3f116786b5db01589d0460c9e1ffccdc468237ee2db9941482c904bc20500b

    • SHA512

      e5c9492b5c49f75c92f45c9b577d67854d989e5672cfc3c2f8b4e831b00082f180834080e398bef69dcd0d3611d4404879e4b6ee9ef57afb2c421ea7f422bc14

    • SSDEEP

      6144:I7p+dxQtxApgbfP+/Yw9R2KXTRAe+vIhvitw0BySmyqtsDK:I7p+kAp8f2/x9Es+w0a0PLnK

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      Krieker213.Fla

    • Size

      56KB

    • MD5

      71ec49d3afc6876b0238400570d4028d

    • SHA1

      e661e5ca92fa77b576dd75c8d981936b2db5be88

    • SHA256

      178d63022c2e5d42cd6f8dd983b8a4a19568e1370efad6c9c51f4b8807964885

    • SHA512

      dae10533f8b54e5dcd1e929a2af3270f201e22566961d27ef4c52ad359b821a4b95bab5469047fe61271111876208833450010d8cf1ce9bd73edcd829d6f21e2

    • SSDEEP

      768:fZNT7eOOP2RNuL0/83OfQ5lzQh93NC6BEa6ytpjpi927g3AVT2OC1dHBBu8sXvA3:xNT7eOOP2R81yXPBEmjpuWSTB1qmiM

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral5behavioral6

    • Target

      Modisterne.pse

    • Size

      2.5MB

    • MD5

      1b2d833eaef04d649440096bc2ddb99b

    • SHA1

      4a930d046e17a26c6ba326b67f83844023f09e98

    • SHA256

      9406dbd3013617834c7b1023fbe67e1edc622dd4cd1e5c314ea8d651ce480d62

    • SHA512

      575a45869e9d260b87eead265820f08a6ef6ed47f3b91cd88fd56f2d95abb46b8cbbb5aec09b4ecc7cb35984a0420d0a0db48fee657bb34c7e1784e4486aaeb2

    • SSDEEP

      768:pJXirUX802MSH/8z9pnOiOTLK4ZRTs4M5WNzmScNtsyiv8DJ1ke4Z/lHdXose5kX:nnqwuyr

    Score
    3/10
    discovery
    behavioral7behavioral8

    • Target

      Uncleanness.eug

    • Size

      3.5MB

    • MD5

      9f17dea8336aa77ebe99d5ae830599a5

    • SHA1

      4b96dad7cef514097c8ce27f59dd7336aa042137

    • SHA256

      db28f064f22a938f1df25a92caf0ede928d394e74edbd5eeae9284f45271c0ae

    • SHA512

      ea2a1594beca24312782f0c5e2beebf995bababf021c2bd77d90367b1e1c85e502ff692df290e9a55a2830fcafa5e5aed07cc6333fd466e8983e788a68d070d1

    • SSDEEP

      768:DR1y8+DeswkiCnPDx28+wzVhdlm5z9xUT2hhDvY1ALowOvixHJaBpU4og59Nud+3:8/EE4HQNFVttkw3CL4B

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      dendropogon.txt

    • Size

      500B

    • MD5

      c3c83ef0066fd6b16972dcfb515aefcc

    • SHA1

      49f44118eefd3b99e3d5645a8dcb275e4c521cbd

    • SHA256

      86196759cefcbb191c5bab56d5758c9630d8b2a0e3a890c975ebabb4474473a9

    • SHA512

      c0591a56ead4c5a64dff27695077a3f62f34fe3848b670c0322f00afa0f6a17e2f9c09e9094818123c7f54a995c9a2b9478fd72257bfcef52596994fb97cf7cd

    Score
    1/10
    behavioral11behavioral12

    • Target

      hjemstedskommunerne.cel

    • Size

      3.0MB

    • MD5

      2493fb6b8d7bbb76227c9d5f0cbb9b97

    • SHA1

      da2f39f5f70c05407408509edccddeb325f651b5

    • SHA256

      b7d2297a871efcee3b580e91c2100e98adbf92df74a27847e24ecd4448c0bb60

    • SHA512

      64d2fe91f4e0fb972a87f7da80cf80d7e4b6b61c6c287272818cdcbd4f2b7a4fa5302b9ad37209933efeebdb36132c0098573eedd4ee4617434294580845ecfc

    • SSDEEP

      768:+uWhkgov4Xs/Y4pWD98LFtBhJHd5jBKXN85WI38KFdIVejTiWKBMNmA5T0upj02b:tjg0+5bBa185xqGvS5

    Score
    3/10
    discovery
    behavioral13behavioral14

    • Target

      olieraffinaderiers.fat

    • Size

      2.1MB

    • MD5

      98fbcf4028cd1928741f407ef9247f0c

    • SHA1

      504ac6412ee629ac359c3b39c3643713ea2673e6

    • SHA256

      b161fc42e73bcc9c765f22276afa1d12f477005796aadf905764f1775ae849f7

    • SHA512

      2beccae55edff550f507185c382915d6963ca6b5ac6f5eea77fbfe021789af7422cc4c135ef3ef16203c033a016da1866216a25ff09a8061074e6e4967c57d87

    • SSDEEP

      768:5bvlMtVBVdoLAVOHAIZ5SAm+YFILTjCZoe/OXMHo+/VJqEWOSKWs7QE7SD7nek/K:dM85ZEd6L73

    Score
    3/10
    discovery
    behavioral15behavioral16

MITRE ATT&CK Enterprise v15

Tasks