General

  • Target

    swift3990827.pdf.exe

  • Size

    1.5MB

  • Sample

    250701-ftr74a1tcs

  • MD5

    a594a2201383ab369a856dd49a3166d0

  • SHA1

    1018e6228fa0d5b26e6ad310946485ae0f35fd59

  • SHA256

    635e1653a7b01019e4e0bc11ad328326807d4cf9a0d2f91e917bcbdcf559ff31

  • SHA512

    59c223fa96b8a4106fed5ec228e9145df0d9e6539f33c74d1a44b096cf1e6b678af5ca7d1effc3d5b7057179e433d6479bd49e4b08067865d4e6403dae55359a

  • SSDEEP

    24576:Ieu5r/+iZL5RwvGXUkkKMKbauY49lVQYicyfSvmyd44RwmX1+B0C:e5r/+mRwuXUTKrpY49lVQYJRo4Rwmi

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.atgairport.com:2404

www.ae-emiratesline.com:2404

www.barraka-eg.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    sssss

  • mouse_option

    false

  • mutex

    Rmc-8ID3WV

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      swift3990827.pdf.exe

    • Size

      1.5MB

    • MD5

      a594a2201383ab369a856dd49a3166d0

    • SHA1

      1018e6228fa0d5b26e6ad310946485ae0f35fd59

    • SHA256

      635e1653a7b01019e4e0bc11ad328326807d4cf9a0d2f91e917bcbdcf559ff31

    • SHA512

      59c223fa96b8a4106fed5ec228e9145df0d9e6539f33c74d1a44b096cf1e6b678af5ca7d1effc3d5b7057179e433d6479bd49e4b08067865d4e6403dae55359a

    • SSDEEP

      24576:Ieu5r/+iZL5RwvGXUkkKMKbauY49lVQYicyfSvmyd44RwmX1+B0C:e5r/+mRwuXUTKrpY49lVQYJRo4Rwmi

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses Microsoft Outlook accounts

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      75ed96254fbf894e42058062b4b4f0d1

    • SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

    • SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    • SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    • SSDEEP

      192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks