General

  • Target

    d3f518246d1e4b58ec60d3e11ba86b33b961101794570fe04d412c63ac1be3b1

  • Size

    404KB

  • Sample

    220521-pe3jysaddl

  • MD5

    da62f10f93ab5fb6ebd91ffcb357311f

  • SHA1

    8f6c24d89642aafeef0ef05bef1af3aa0831d430

  • SHA256

    d3f518246d1e4b58ec60d3e11ba86b33b961101794570fe04d412c63ac1be3b1

  • SHA512

    95f9fe41b59fcefab25d96f243b3681fd08fffdb09238647ac9923df1fa8f7d8b7ae4722031951cbbe391792f589c27bb37f485250f8495b8e3c1270926750a4

Score
10/10

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

blessed

C2

jackyjian1965.hopto.org:1965

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-0M1UHM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      Offer & Request Document,pdf.exe

    • Size

      564KB

    • MD5

      9e06fb829e7c93b27fb315f9595518ce

    • SHA1

      b0b3761fad53e0d7aa6a96c1674722f699cd9fcd

    • SHA256

      83a26e39047c87887892d0c0e5358b4e594de340740756dd85ede4bb7ea3c3b5

    • SHA512

      651d719f414895e27e8e21ca39a9266e639c236850d4613231817b64481dcb5be937128a70ce1ecb9f11cb8491fe80070305bc42d9326b450f86c62bd906a715

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks