General

  • Target

    ILINV02655092023 AT20231749.exe

  • Size

    890KB

  • Sample

    230921-kc48jsgg78

  • MD5

    be5a939ce15470cb418311a731a05977

  • SHA1

    18792193d0d5291d0bc7cd91101b08a533fdbf97

  • SHA256

    878dfaab76cf42d9b0ac13431a95a6fbebd6f800e9e8d0538248e540f81813f1

  • SHA512

    e412e38812b20837f42e52cbb3d8459c00a5b31cfbe911310689cf4501675ef5def274c7da99c080f762f9882ef03757f73b33beee909ad4310cec713494598f

  • SSDEEP

    24576:eq7JcjVuj6xJCvuxFrtm9SpdmlK399NDpKGN/VcUNe:V7uw6x0uztmov3WGNNNe

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

ourt2949aslumes9.duckdns.org:2401

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    paqlgkfs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    ourvbpld-RBN2WW

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ILINV02655092023 AT20231749.exe

    • Size

      890KB

    • MD5

      be5a939ce15470cb418311a731a05977

    • SHA1

      18792193d0d5291d0bc7cd91101b08a533fdbf97

    • SHA256

      878dfaab76cf42d9b0ac13431a95a6fbebd6f800e9e8d0538248e540f81813f1

    • SHA512

      e412e38812b20837f42e52cbb3d8459c00a5b31cfbe911310689cf4501675ef5def274c7da99c080f762f9882ef03757f73b33beee909ad4310cec713494598f

    • SSDEEP

      24576:eq7JcjVuj6xJCvuxFrtm9SpdmlK399NDpKGN/VcUNe:V7uw6x0uztmov3WGNNNe

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks