General

  • Target

    70c45fc843dee69c8a55b7910d91d0b4dd371c7ea59d8eb43ff3d79c19064b92

  • Size

    703KB

  • Sample

    240408-phl2dacc4x

  • MD5

    cfeae297e7b47d957e9e275ede703064

  • SHA1

    f31ea0ebf131e7186acf028687581318642eff74

  • SHA256

    70c45fc843dee69c8a55b7910d91d0b4dd371c7ea59d8eb43ff3d79c19064b92

  • SHA512

    ebd1a85b790743ee2784a87b0d993151d6c7a53eb1ab5f72cd79d490c56aca511ae369dd04067187ea62bbd3cde803c1bc7b1d628696aff4e3c0ce5e21051e1a

  • SSDEEP

    12288:HpIgdWtnyVADTJUSx1VUDp5eHKCREbiALl4JFznCy:XdWtnyVAJvx1VUKkOMOJ1C

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

81.17.17.70:1198

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    windowsfiles.exe

  • copy_folder

    windowsfiles

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    windowsfiles

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-NMB4R7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      70c45fc843dee69c8a55b7910d91d0b4dd371c7ea59d8eb43ff3d79c19064b92

    • Size

      703KB

    • MD5

      cfeae297e7b47d957e9e275ede703064

    • SHA1

      f31ea0ebf131e7186acf028687581318642eff74

    • SHA256

      70c45fc843dee69c8a55b7910d91d0b4dd371c7ea59d8eb43ff3d79c19064b92

    • SHA512

      ebd1a85b790743ee2784a87b0d993151d6c7a53eb1ab5f72cd79d490c56aca511ae369dd04067187ea62bbd3cde803c1bc7b1d628696aff4e3c0ce5e21051e1a

    • SSDEEP

      12288:HpIgdWtnyVADTJUSx1VUDp5eHKCREbiALl4JFznCy:XdWtnyVAJvx1VUKkOMOJ1C

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks