General

  • Target

    c8516d6d8b755bebd51020602814ee36f447cf379f7e0ac0be3f576f573ada37.vbs

  • Size

    11KB

  • Sample

    240323-cy85mafa51

  • MD5

    6646a9bb09a2b4728226279754b6dafe

  • SHA1

    d3a0ce176ab0318ee04af196c94c4651c45669aa

  • SHA256

    c8516d6d8b755bebd51020602814ee36f447cf379f7e0ac0be3f576f573ada37

  • SHA512

    98c92b70a97659ecdc0f032582e8515b40f0841a1ea83918639e3f6ad6a3f014b938aa958eeea968b795945e40bc21e2ea2d371d1fef72d8b02af3747d19a7c8

  • SSDEEP

    192:1NCDZe4/HFVEKNCLDyOjduQ1PrWZj5DagfFWLJVgf/CNIY84aXn:2DZe4bKduoPAj5Vteg/CM4aXn

Malware Config

Extracted

Family

remcos

Botnet

Latest

C2

85.209.176.69:57484

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    pavnspt.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    lakosegtst-I6VUY0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      c8516d6d8b755bebd51020602814ee36f447cf379f7e0ac0be3f576f573ada37.vbs

    • Size

      11KB

    • MD5

      6646a9bb09a2b4728226279754b6dafe

    • SHA1

      d3a0ce176ab0318ee04af196c94c4651c45669aa

    • SHA256

      c8516d6d8b755bebd51020602814ee36f447cf379f7e0ac0be3f576f573ada37

    • SHA512

      98c92b70a97659ecdc0f032582e8515b40f0841a1ea83918639e3f6ad6a3f014b938aa958eeea968b795945e40bc21e2ea2d371d1fef72d8b02af3747d19a7c8

    • SSDEEP

      192:1NCDZe4/HFVEKNCLDyOjduQ1PrWZj5DagfFWLJVgf/CNIY84aXn:2DZe4bKduoPAj5Vteg/CM4aXn

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks