General

  • Target

    0f9db1a604f02ecde6b747374ad5bde6.js

  • Size

    853KB

  • Sample

    220907-l4hz3abga4

  • MD5

    9d6cc349c5662e0943f620ce559617f1

  • SHA1

    76e0c00f8814b7aed7c57bf96a2667c90e0f3f0a

  • SHA256

    1ce27214924d57fcb691f35e14d48767d0879a62b1a13f2f52c9b51e05028435

  • SHA512

    20399eca979b89c5cc9cf0b81a227321e92b7714ea035cdfbe97bbba39b8d33d922a9499655c3170bec33003305a111d4c5617c11098bc985b2b642ea4551d19

  • SSDEEP

    12288:ioPp+y4DmZYL67Zpt0s/yFAJdlZHkpn/q7TOScuwBLJuz0aowLvFFEsYBqXu:z6KZWqZYwyFeEpCuOOwLtFEsY3

Malware Config

Extracted

Family

remcos

Botnet

Chinese

C2

185.157.162.75:2222

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WGAM8T

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    PowerPc

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0f9db1a604f02ecde6b747374ad5bde6.js

    • Size

      853KB

    • MD5

      9d6cc349c5662e0943f620ce559617f1

    • SHA1

      76e0c00f8814b7aed7c57bf96a2667c90e0f3f0a

    • SHA256

      1ce27214924d57fcb691f35e14d48767d0879a62b1a13f2f52c9b51e05028435

    • SHA512

      20399eca979b89c5cc9cf0b81a227321e92b7714ea035cdfbe97bbba39b8d33d922a9499655c3170bec33003305a111d4c5617c11098bc985b2b642ea4551d19

    • SSDEEP

      12288:ioPp+y4DmZYL67Zpt0s/yFAJdlZHkpn/q7TOScuwBLJuz0aowLvFFEsYBqXu:z6KZWqZYwyFeEpCuOOwLtFEsY3

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Vjw0rm

      Vjw0rm is a remote access trojan written in JavaScript.

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v6

Tasks