General

  • Target

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

  • Size

    7KB

  • Sample

    230203-xczz2sgf66

  • MD5

    b359f4af5c88b1e237db9738415b7682

  • SHA1

    d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

  • SHA256

    53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

  • SHA512

    6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

  • SSDEEP

    96:xtEsKVeCVIP7bLp8LAn5c8aY1ej/kKV+J2qzNt:xUVVIP7bLrEOejcKYx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

194.180.49.17:28282

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    rdfghfgjkgoighjc.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-PC1DJ2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

    • Size

      7KB

    • MD5

      b359f4af5c88b1e237db9738415b7682

    • SHA1

      d7fa6d87594ea4d8b5740d54fdc204b08f4e9439

    • SHA256

      53ddb9a75bca1115a66745b28086afbd394cef38f8437dda641b1219111df8cd

    • SHA512

      6d4f06f36c608d3202d29629f9d9a70eadfbffbb23c7c074fbb610ed9e1926bf6e04c8dfecbbaf1d575fb2d0385d237aff2dbda322b092d4ef7728091eb596cb

    • SSDEEP

      96:xtEsKVeCVIP7bLp8LAn5c8aY1ej/kKV+J2qzNt:xUVVIP7bLrEOejcKYx

    • Detect PureCrypter injector

    • PureCrypter

      PureCrypter is a .NET malware loader first seen in early 2021.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.