General

  • Target

    bf7263b764e448afc9ebc0a2b1d3c5cb

  • Size

    373KB

  • Sample

    240311-bg7d2age7z

  • MD5

    bf7263b764e448afc9ebc0a2b1d3c5cb

  • SHA1

    0b424d6643fd2f8612c2716128df1cfb5e6e576d

  • SHA256

    41cbe11b74100e521c478735575ad3f150c201e8bda5c3f1b2485dc9c34a60ba

  • SHA512

    6dd9f97b9985d8b9399c98db7b1d75bcfd4ff16ae52486eaeb937cb8b06658e7dda2b17682828db3cbd0deef1c948b618cdaf4dd55165515caabf30d5a50dd47

  • SSDEEP

    6144:Bdg5n5DJJL7XJAnY7yo0nqsJ445mgy+sk8VAX8dN4pO:6nnJHX+nO8hJB5mKD8ZZ

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

April

C2

137.74.176.164:1960

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    hebyd783.exe

  • copy_folder

    6ytghb

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %Temp%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    345e6r7t8y9uu9776eertryuy

  • keylog_path

    ApplicationPath

  • mouse_option

    false

  • mutex

    remcos_ltcntfbhju

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    546rt7gy8u980i9i08675e

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      bf7263b764e448afc9ebc0a2b1d3c5cb

    • Size

      373KB

    • MD5

      bf7263b764e448afc9ebc0a2b1d3c5cb

    • SHA1

      0b424d6643fd2f8612c2716128df1cfb5e6e576d

    • SHA256

      41cbe11b74100e521c478735575ad3f150c201e8bda5c3f1b2485dc9c34a60ba

    • SHA512

      6dd9f97b9985d8b9399c98db7b1d75bcfd4ff16ae52486eaeb937cb8b06658e7dda2b17682828db3cbd0deef1c948b618cdaf4dd55165515caabf30d5a50dd47

    • SSDEEP

      6144:Bdg5n5DJJL7XJAnY7yo0nqsJ445mgy+sk8VAX8dN4pO:6nnJHX+nO8hJB5mKD8ZZ

    • Modifies WinLogon for persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks