remcos | 95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224 | Triage

Submit
Reports

Overview

overview

Static

static

1

Offer ZI-0428.rtf

windows7-x64

Offer ZI-0428.rtf

windows10-1703-x64

1

Offer ZI-0428.rtf

windows10-2004-x64

1

Offer ZI-0428.rtf

windows11-21h2-x64

1

Resubmissions

01-07-2024 12:39

240701-pvt8hssbpd 10

01-07-2024 11:57

240701-n4kvrstdkn 4

Sharing

General

Target

Offer ZI-0428.doc
Size

293KB
Sample

240701-pvt8hssbpd
MD5

dde9d7d091ac0cc1d35515d259d8ca6f
SHA1

c6e943143771fc3fd7c2c548f5fddcd6013d9302
SHA256

95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224
SHA512

04f282c1b0333925454b7ab1c461c4ae395b0b8148bc6d51fd36368db2dc187daa6d273177d4ad15b50ede52bacf6271062dab70d45b871c8f805a8083844995
SSDEEP

6144:4GuqGuqGuqGuqGuqGuqGuqGuqGuqGu9tNcTr:4

Score

10^/10

remcos spittt collection execution rat spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

Offer ZI-0428.rtf

Resource

win7-20240611-en

remcos spittt collection execution rat spyware stealer

windows7-x64

26 signatures

150 seconds

Behavioral task

behavioral2

Sample

Offer ZI-0428.rtf

Resource

win10-20240404-en

windows10-1703-x64

4 signatures

150 seconds

Behavioral task

behavioral3

Sample

Offer ZI-0428.rtf

Resource

win10v2004-20240226-en

windows10-2004-x64

4 signatures

150 seconds

Behavioral task

behavioral4

Sample

Offer ZI-0428.rtf

Resource

win11-20240508-en

windows11-21h2-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

sPITTT

C2

antfly50.sytes.net:1980

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BW3KDF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Offer ZI-0428.doc
- Size
  
  293KB
- MD5
  
  dde9d7d091ac0cc1d35515d259d8ca6f
- SHA1
  
  c6e943143771fc3fd7c2c548f5fddcd6013d9302
- SHA256
  
  95be57795b850e5aa098c80a107bafdb581da7653d9b57b8f2d37b89880de224
- SHA512
  
  04f282c1b0333925454b7ab1c461c4ae395b0b8148bc6d51fd36368db2dc187daa6d273177d4ad15b50ede52bacf6271062dab70d45b871c8f805a8083844995
- SSDEEP
  
  6144:4GuqGuqGuqGuqGuqGuqGuqGuqGuqGu9tNcTr:4
Score

10^/10

remcos spittt collection execution rat spyware stealer
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook accounts
  collection
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Data from Local System

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosspitttcollectionexecutionratspywarestealer

behavioral2

behavioral3

behavioral4

© 2018-2024

Terms | Privacy