General

  • Target

    9c89d5c943e0569efd3d2bc58b62a4ea

  • Size

    846KB

  • Sample

    240215-bbbeeada21

  • MD5

    9c89d5c943e0569efd3d2bc58b62a4ea

  • SHA1

    5560da6d905f87a54585d896e2d60cdd76e55f63

  • SHA256

    2274248efc8c44261f3f742f58cf46853ef66ee351b6612c6ffbfffcd06c1508

  • SHA512

    296aa08705d751fa49886bb0e669dd1b922531a30965fdf6283d4ea1908bdcc39587244527138222c9e5573fa657923a9e21f27d2a2f377d49402ef89544ce40

  • SSDEEP

    12288:ffIx+DGo6SpgiJ/zQ/+opWWoPQWrjWoYCsWR2p1nW9oTVut2fQIK6woYB5NgcI58:0G7J/zQ/+oZr0Tz6FFznN2PETrWhW4

Malware Config

Extracted

Family

remcos

Version

3.1.5 Pro

Botnet

RemoteHost1

C2

185.157.160.215:2405

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-L7JSN5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      9c89d5c943e0569efd3d2bc58b62a4ea

    • Size

      846KB

    • MD5

      9c89d5c943e0569efd3d2bc58b62a4ea

    • SHA1

      5560da6d905f87a54585d896e2d60cdd76e55f63

    • SHA256

      2274248efc8c44261f3f742f58cf46853ef66ee351b6612c6ffbfffcd06c1508

    • SHA512

      296aa08705d751fa49886bb0e669dd1b922531a30965fdf6283d4ea1908bdcc39587244527138222c9e5573fa657923a9e21f27d2a2f377d49402ef89544ce40

    • SSDEEP

      12288:ffIx+DGo6SpgiJ/zQ/+opWWoPQWrjWoYCsWR2p1nW9oTVut2fQIK6woYB5NgcI58:0G7J/zQ/+oZr0Tz6FFznN2PETrWhW4

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks