General

  • Target

    ctyXleE.bin.zip

  • Size

    968KB

  • Sample

    240202-lnzymsdbfq

  • MD5

    97bff9bb572b19c36d72cdf8c9c1b169

  • SHA1

    21e7d10063aebe0bbed7cfd79deaa11133fde9d6

  • SHA256

    1d0ce0283552fe29532f674968d81c69edccfe6c75cd23e4dfa2c9a3b853524f

  • SHA512

    99e54c70aa0936a9920fabc4ecf29e36505157aef4559a2799bf63d9d6b31a67b463b28538eb77674bbb47a8f8191a46a5d531d7fd5e56d53076f987900b1398

  • SSDEEP

    24576:GHOP3jF8YFz/QtJxv7wRl9Q87lffCbElLjbk:P3j6uzItshQEeEl/Y

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

Crypted

C2

172.206.61.17:55642

172.206.61.17:55746

172.206.61.17:55867

172.206.61.17:55733

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    cuas.dat

  • keylog_flag

    false

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    lienamsia-69XBIT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ctyXleE.bin

    • Size

      1.1MB

    • MD5

      366af1d2ce19d3a301988fed1c0ae1b3

    • SHA1

      5f5c653de134b7042d7d751e60acd7fe280c9fd4

    • SHA256

      d33b79c8595a906ed7367e631d47ecee21f1319cbace6c90fbbed2d6a39dc0f7

    • SHA512

      c88d805b8e5cc7f0459051a8dd0c1ab0897565aed4d63060c1fd11cea16bc8b21b0566f5aaea499665b28e01a352f1f7cf382ab657cc84b8c8fe3b88a73433b3

    • SSDEEP

      12288:ajXtTSdsW5TzFPlAdmQ63g/mDNUlYgDbQYhL1LiakshdFSvbcPmq4d53rD22QBxg:/RFPlAEQRuNm/QOL1ddIILcrDm

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks