General

  • Target

    TSTS 0005A.bat

  • Size

    922KB

  • Sample

    240405-lzpl2sha6y

  • MD5

    b195643d6d8c3f81c7409533ad14726c

  • SHA1

    c09b56928fb1f448ed9b3610a0b930f77e2ebcfe

  • SHA256

    f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2

  • SHA512

    b843153f581be5a77b8575cf09e25333d5eaf5af3b689441ad0af336c4494a6181d5882dfa8b2ba2d90acb64cd3db9ab26f1cf87e1991f996d26cbb6990c5fb8

  • SSDEEP

    24576:JgjHr6DLW5Gaxs00MUVXdtS6seDmw+Op8lCua51:WrpDxclG65mg8lCuo

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    notess

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-P0AEMX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      TSTS 0005A.bat

    • Size

      922KB

    • MD5

      b195643d6d8c3f81c7409533ad14726c

    • SHA1

      c09b56928fb1f448ed9b3610a0b930f77e2ebcfe

    • SHA256

      f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2

    • SHA512

      b843153f581be5a77b8575cf09e25333d5eaf5af3b689441ad0af336c4494a6181d5882dfa8b2ba2d90acb64cd3db9ab26f1cf87e1991f996d26cbb6990c5fb8

    • SSDEEP

      24576:JgjHr6DLW5Gaxs00MUVXdtS6seDmw+Op8lCua51:WrpDxclG65mg8lCuo

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks