General

  • Target

    22f0ac97de0f5dd3d4a95b9ba14684a5.bin

  • Size

    860KB

  • Sample

    230922-bldyaade43

  • MD5

    70607533660d3988858923e6c7dcbac4

  • SHA1

    81d62f4972d109e9950251e746213c5b9401e65b

  • SHA256

    f90bc2429f21b0f1eb58a81330c6a627a3f6cace2189babc00f5bb4e2853448d

  • SHA512

    11d90e3e56aec489168a63b47d9fe99277caa43adc174a4670589d9a83452cc2dd21678c2865ebfce476a98fb75bc2efe62fd3cf1fa93e1b616330be3e8c473b

  • SSDEEP

    24576:8yRNydMK+NuadRk6+CS9iCVddwIHfYbTDm38:Vh5rRk6RS9iCqE0DmM

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

95.214.24.210:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    ourytgbh.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    puestodg-TE5TIH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      80407312227a80e31ac1d171f2d9c8fb31ee16fc8d089d4c861d53b34e6630d2.exe

    • Size

      882KB

    • MD5

      22f0ac97de0f5dd3d4a95b9ba14684a5

    • SHA1

      8c79409bda7b2bcc4eb418494bf0904048ecb316

    • SHA256

      80407312227a80e31ac1d171f2d9c8fb31ee16fc8d089d4c861d53b34e6630d2

    • SHA512

      f1eda7b0ce1fce5edbfec10a01f3c072de5f035a773fc635c29eee67fcb1ed3eb4795007722457ae12cb0d4f9f5a1ad9d809f7eed758b312087644ae6a10b9be

    • SSDEEP

      24576:eq7JcjVuJlRAPpmZsWpdmlKK99NDpKGN/VcUN/:V7uEqisWvKWGNNN/

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks