General

  • Target

    USD_Payment-Advice69802 Nogales 2023-07-11 .vbs

  • Size

    2.1MB

  • Sample

    230711-gjmqased76

  • MD5

    cda952ff91b69f2d70c56f427bafe567

  • SHA1

    35f438e7d1340aba7046620c1b3a58c9615d0ff8

  • SHA256

    eb5c9cc7fec783579f200884eef6b349b2a7e65a99b69a872c0de1e717211b7d

  • SHA512

    831e38b8360738210c9e53dbadffa25215a40c09a370c654ec1f46fbd76293696cf6e5aaaf3d9b079cbc3ce0add12b4fe8b32d34074233c6e5cf492303c13929

  • SSDEEP

    6144:aK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8d:Y3CM0Y

Malware Config

Extracted

Family

remcos

Botnet

Adobe-Crusher

C2

ea01299e9ae43df8612cc3ecf2c968c41c55b74b483d44927dbc5185bd.crusherx1.cfd:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-N2JN6L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      USD_Payment-Advice69802 Nogales 2023-07-11 .vbs

    • Size

      2.1MB

    • MD5

      cda952ff91b69f2d70c56f427bafe567

    • SHA1

      35f438e7d1340aba7046620c1b3a58c9615d0ff8

    • SHA256

      eb5c9cc7fec783579f200884eef6b349b2a7e65a99b69a872c0de1e717211b7d

    • SHA512

      831e38b8360738210c9e53dbadffa25215a40c09a370c654ec1f46fbd76293696cf6e5aaaf3d9b079cbc3ce0add12b4fe8b32d34074233c6e5cf492303c13929

    • SSDEEP

      6144:aK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8mK8d:Y3CM0Y

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks