General

  • Target

    Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

  • Size

    1MB

  • Sample

    231207-jjd49sbef7

  • MD5

    d450c0d6afa6a22fc9fc53780bcc628b

  • SHA1

    65ae8b330c8da3f7c0699ea054cdcc857087bd38

  • SHA256

    ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31

  • SHA512

    20384a55ece7385a7c950ad984d75f778fc0c7975dfca813fe0b9890862649c26c5eea0e392648c66da491020e2818176c28bc89f1785159e9ed0f323748bc6e

  • SSDEEP

    12288:zy2iNpukyFWjrH66dn1uoLeyFfyu0AHyJy/bppvmT6TQ/lEtYyVgh2eV:G1XukRjr5pcobFJHxr+NNos

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:56932

45.128.234.54:56932

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-D11KCU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Payment Advice-BCS_ECS9522023032900460039_16922_952.exe

    • Size

      1MB

    • MD5

      d450c0d6afa6a22fc9fc53780bcc628b

    • SHA1

      65ae8b330c8da3f7c0699ea054cdcc857087bd38

    • SHA256

      ed5f392d0095487edd0f112db6a14bbd3e9dc13454e63bf17bb0816d15e93f31

    • SHA512

      20384a55ece7385a7c950ad984d75f778fc0c7975dfca813fe0b9890862649c26c5eea0e392648c66da491020e2818176c28bc89f1785159e9ed0f323748bc6e

    • SSDEEP

      12288:zy2iNpukyFWjrH66dn1uoLeyFfyu0AHyJy/bppvmT6TQ/lEtYyVgh2eV:G1XukRjr5pcobFJHxr+NNos

    • Detect ZGRat V1

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • ZGRat

      ZGRat is remote access trojan written in C#.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks