General

  • Target

    invoice_2818144.vbs

  • Size

    226B

  • Sample

    210929-ap75vsddan

  • MD5

    fce037aad780c08c85db2f24bff80cfa

  • SHA1

    881fc64b6fe1dad9459327e931399635fc1fe27c

  • SHA256

    cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89

  • SHA512

    cc3b7adfa276163c33fd5cb62dacf0ae754d53d749b0ed95686a42344ecd1cb94a712f89cc6a2ddaae2eaff90a6ac9913fd368ce196612a2a861fba9eecfbb95

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

RemoteHost

C2

snackebay.ddns.net:7676

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remasascos-LVXDHO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      invoice_2818144.vbs

    • Size

      226B

    • MD5

      fce037aad780c08c85db2f24bff80cfa

    • SHA1

      881fc64b6fe1dad9459327e931399635fc1fe27c

    • SHA256

      cb77b93150cb0f7fe65ce8a7e2a5781e727419451355a7736db84109fa215a89

    • SHA512

      cc3b7adfa276163c33fd5cb62dacf0ae754d53d749b0ed95686a42344ecd1cb94a712f89cc6a2ddaae2eaff90a6ac9913fd368ce196612a2a861fba9eecfbb95

    • Registers COM server for autorun

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks