General

  • Target

    ibcomonkeykingloverdontforogetokissherwithlotoflovebecauseheisveryvaluablekingeveriseenheisverygoodgirl___myhappinessinthrgirl.doc

  • Size

    79KB

  • Sample

    240426-napxmafb64

  • MD5

    f7fabb6a3c4d7f625cc9398bd7713b4e

  • SHA1

    818eff2b9c97eb2debcb058caf4221b4e96bca85

  • SHA256

    246a56126023decef480763c6aeb0835b304b780229dfae1c4da57ece6426abd

  • SHA512

    0ab1fc7e351ba6728193fb958b12217a639ad01f0067c012c5de795ff3d18f8dc41716f2c6349f0960e50c80810cd54473044f0927816398adb7131c4427a36b

  • SSDEEP

    1536:ArwYaxLA/2q5Iqr7DXYwOk5UKpebeHdmcY3DCXiAwN/dFu/CZr:ArwYax+ZTr7DXYwOk55sbMdmcY3mXiAI

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    nots.dat

  • keylog_flag

    false

  • keylog_folder

    note

  • keylog_path

    %Temp%

  • mouse_option

    false

  • mutex

    Rmc-999Z97

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ibcomonkeykingloverdontforogetokissherwithlotoflovebecauseheisveryvaluablekingeveriseenheisverygoodgirl___myhappinessinthrgirl.doc

    • Size

      79KB

    • MD5

      f7fabb6a3c4d7f625cc9398bd7713b4e

    • SHA1

      818eff2b9c97eb2debcb058caf4221b4e96bca85

    • SHA256

      246a56126023decef480763c6aeb0835b304b780229dfae1c4da57ece6426abd

    • SHA512

      0ab1fc7e351ba6728193fb958b12217a639ad01f0067c012c5de795ff3d18f8dc41716f2c6349f0960e50c80810cd54473044f0927816398adb7131c4427a36b

    • SSDEEP

      1536:ArwYaxLA/2q5Iqr7DXYwOk5UKpebeHdmcY3DCXiAwN/dFu/CZr:ArwYax+ZTr7DXYwOk55sbMdmcY3mXiAI

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks