General

  • Target

    lucerne as at 28 Nov 2022.exe

  • Size

    579KB

  • Sample

    221203-r9v5gaea9t

  • MD5

    796280ec19f4cabce99bbb14b4a43f28

  • SHA1

    537bedfbb6f6f2b544bc4892437f4a6050d932a9

  • SHA256

    eeb4e124303b10a370d6c20f70c17303dfe1cd6de4b255d85061804ad6902db0

  • SHA512

    6afca105404a50684a9a4b37646b2bbd17339120849aad6f9c8ef8e2abc4d28ba6ad144195b3db1e676c3d7a3335751b134ed58397d62991895b04a9f6498eb8

  • SSDEEP

    12288:VmwtkzfN9A6V20TKzB32n/3Ki0mGXq7mclWKpNCi/g:ltkzf3A6VR6O/OrXqicvN

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

awa

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J6C5A7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      lucerne as at 28 Nov 2022.exe

    • Size

      579KB

    • MD5

      796280ec19f4cabce99bbb14b4a43f28

    • SHA1

      537bedfbb6f6f2b544bc4892437f4a6050d932a9

    • SHA256

      eeb4e124303b10a370d6c20f70c17303dfe1cd6de4b255d85061804ad6902db0

    • SHA512

      6afca105404a50684a9a4b37646b2bbd17339120849aad6f9c8ef8e2abc4d28ba6ad144195b3db1e676c3d7a3335751b134ed58397d62991895b04a9f6498eb8

    • SSDEEP

      12288:VmwtkzfN9A6V20TKzB32n/3Ki0mGXq7mclWKpNCi/g:ltkzf3A6VR6O/OrXqicvN

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks