General

  • Target

    d55f421828d1f39ad61ae8a92028be1a.rtf

  • Size

    22KB

  • Sample

    221005-mwne9aeba8

  • MD5

    d55f421828d1f39ad61ae8a92028be1a

  • SHA1

    4049f2a3184cb63604d7fa9d30501a15b10161ed

  • SHA256

    b2d3ea72a3ea0d19826c447346cc134d08bf6d48326bc289c4fd11104a66cafc

  • SHA512

    7188e999a558a7713ad8b68d2e99787d8cf592ebef5c7553911a44c797317a975e89407d06808d9037f36914cabcafef516f630d23aad41188a47afafdd28607

  • SSDEEP

    384:yfxr8RPBpl4DgwA8OzV1UJ2YN3mhwKzC+tnXQMYCviNRLPll+UTiKd:yfxrmBpl4DgwROzV2J2mmhwKzXJXxYIo

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

mam.mastercoa.co:37824

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3FCFQU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d55f421828d1f39ad61ae8a92028be1a.rtf

    • Size

      22KB

    • MD5

      d55f421828d1f39ad61ae8a92028be1a

    • SHA1

      4049f2a3184cb63604d7fa9d30501a15b10161ed

    • SHA256

      b2d3ea72a3ea0d19826c447346cc134d08bf6d48326bc289c4fd11104a66cafc

    • SHA512

      7188e999a558a7713ad8b68d2e99787d8cf592ebef5c7553911a44c797317a975e89407d06808d9037f36914cabcafef516f630d23aad41188a47afafdd28607

    • SSDEEP

      384:yfxr8RPBpl4DgwA8OzV1UJ2YN3mhwKzC+tnXQMYCviNRLPll+UTiKd:yfxrmBpl4DgwROzV2J2mmhwKzXJXxYIo

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks