General

  • Target

    26195b0c00100533dc89b0722ac99e7f

  • Size

    1.4MB

  • Sample

    231231-dtvl4sgbfk

  • MD5

    26195b0c00100533dc89b0722ac99e7f

  • SHA1

    59c0a57e94cdd582d136f8893e3c1d60c8c30041

  • SHA256

    ff1f0466c9025766c57e036c21deb2fe75b863b947209fc01700506cb543d3a1

  • SHA512

    7914a2d9d2b0a2eb2430c63d2e2f081e1e1874f2cac36c425873d542c6049f3c80a79bc1906d22e7358e1802c9452f9aa6399a01c28339bd9122040d62847499

  • SSDEEP

    12288:ZKsQgEf+7gzU2ai6D3h0kaHHM/XxHYeKrrRJnIsd5+8rFy1gdBJ3zAKTmSACZHz:ksO+7Aai6Dban4BHc5+4yWnRAB4Hz

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ostriuyer.myddns.me:7116

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-HDFETT

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    0

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

RemoteHost

C2

ostriuyer.myddns.me:7116

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-HDFETT

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    0

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      26195b0c00100533dc89b0722ac99e7f

    • Size

      1.4MB

    • MD5

      26195b0c00100533dc89b0722ac99e7f

    • SHA1

      59c0a57e94cdd582d136f8893e3c1d60c8c30041

    • SHA256

      ff1f0466c9025766c57e036c21deb2fe75b863b947209fc01700506cb543d3a1

    • SHA512

      7914a2d9d2b0a2eb2430c63d2e2f081e1e1874f2cac36c425873d542c6049f3c80a79bc1906d22e7358e1802c9452f9aa6399a01c28339bd9122040d62847499

    • SSDEEP

      12288:ZKsQgEf+7gzU2ai6D3h0kaHHM/XxHYeKrrRJnIsd5+8rFy1gdBJ3zAKTmSACZHz:ksO+7Aai6Dban4BHc5+4yWnRAB4Hz

    • Modifies WinLogon for persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

MITRE ATT&CK Enterprise v15

Tasks