General

  • Target

    FAT986545600986.pdf.uue

  • Size

    979KB

  • Sample

    231204-mfp9xaae4z

  • MD5

    3eb7d8959a9c5b82fa1bf9935ff50152

  • SHA1

    55f59fac10a180c0bd0d3d9bdcb72c6deac1b0e9

  • SHA256

    3f8fbd3962801ab4abd07d655a029a9c67fa3ac55de4f39c7b71d761cfcc54e0

  • SHA512

    29d3b9ab4ee112ff06a6132d9dbec27f6a8114d9bc737bdad7b817b77cc7c89d0ee129a57d361610dc17630e1c12f86b3f37032ec37a28c83641a42169461a6f

  • SSDEEP

    24576:QY2Q4KpZBlSrtZiRjQnxBMlrPkL4ZdiW6xHTxOb:l2pKZaZcQxBCcCiW6xMb

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8087

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-IZFV1M

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      FAT986545600986.bat

    • Size

      1MB

    • MD5

      470249dbfe3ac7f1d16ea4a52ef76fb3

    • SHA1

      984ef38fbfa4efd6b9310a07c4a6b2be63e328bf

    • SHA256

      f77532a0a209676025270db283534fc63ba0780415e8273d670fc6d1bc4bf1f5

    • SHA512

      ec2edf6140afcf84719a8a2d53303ee86fa6b32406b0fc99db6d87dcc162577b9766f88e5fb7643e4cb4fb09c5431c5ab3d8029800eab02aa1b81914e3faba39

    • SSDEEP

      24576:h34/up+pJ1sRbSz55MlrTQF4ZriIqBT3peD:h38PJ1QSz55CsIiIqBs

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks