maldoc dropping Remcos RAT

Files:
File name: PLURILITERAL.exe
MD5: 6687f5ca89833f38157110f58bba8785
SHA256: 2fdb33e0895ec644222e153ab7ce485c76c8afa07c039b2c4e54aecba1e33c28
Filesize: 274432 bytes

File name: PLURILITERAL.vbs
MD5: 0495f6d9da19698aa3e4f55ac7f48278
SHA256: efd1a1a236041eea5b7db330b7ca304bb48b052bf2dbefb59395287a64dc1196
Filesize: 108 bytes

File name: qwerty2.exe
MD5: a85b0bf02ef1504f8cdf2e113294c888
SHA256: c263a793764bedabdf4aebbcc662627f7372e70ad573d42bdb752003b6a70976
Filesize: 274432 bytes

File name: Resume.doc (named removed, password:1234)
MD5: 8d95ababf5c6566fe65095abf8acff81
SHA256: d4c144873b11177071a5e99f70970afc36bc7a3163b6feee2945d8d37edcb8a9
Filesize: 37888 bytes

Download (password: malware)

URLs:
hxxp://209.141.34[.]8/test1.exe
hxxp://toptoptop1[.]online:2404
hxxp://toptoptop2[.]online:2404
hxxp://toptoptop3[.]site:2404

IPs:
103.1.184.108
209.141.34.8
192.64.119.33

Details:
Sample source is a password protected malicious .doc attached to malspam
After Enabling, it reaches out to an IP based payload site:
The .exe it grabs is named "qwerty2" and proceeds to work its way through several changes including moving itself and renaming itself "PLURILITERAL.exe":




According to ProcessHacker settings, the slight purple indicates a "debugging" process. I'm not really sure what this means in the grand scheme of things. Also, lol @ the 452 MB process.

After settling down several keylogging related strings can be found in memory, and the process quickly reveals itself to be Remcos RAT:

Also found in memory are the C2s:

The ProcDOT graph is fairly busy:
It unveils the persistence mechanism which is a registry key that invokes a vbs script which calls the malicious executable found in %APPDATA%\Roaming\Temp:


Remcos is quite noisy, creating its own registry keys for the exe path and license key:

Comments

Popular posts from this blog

BACKLOG: NanoCore and AgentTesla double tap (maybe triple?)

What is this all about