General

  • Target

    dc_234TCLU9801307.xls

  • Size

    239KB

  • Sample

    240430-gd1pzadg66

  • MD5

    329892f3544cdf726a07ddd9a7706277

  • SHA1

    08fcbce34fedf394c3372c856102dc58b185581d

  • SHA256

    3654d2e5e2df56f0559fd705ddf330c0d7b72d4794d88d5e58d6884ecc1fabf1

  • SHA512

    9e53ee71f2e8282958e82108f75bc59b993d8a29b99d3162c50b5716a9f8ae9e71d22e7364f364c0d8c534b9afab9a498bf78b52dcc93868d960c346ce5e65e9

  • SSDEEP

    6144:kd4UcLe0JOqPQZR8MDdATCR3tSv0W8pSdc6qeRAtYgHBZ2wSj:3UP/qPQZR8MxAm/S8W8KqqXYg

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    nots.dat

  • keylog_flag

    false

  • keylog_folder

    note

  • keylog_path

    %Temp%

  • mouse_option

    false

  • mutex

    Rmc-999Z97

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      dc_234TCLU9801307.xls

    • Size

      239KB

    • MD5

      329892f3544cdf726a07ddd9a7706277

    • SHA1

      08fcbce34fedf394c3372c856102dc58b185581d

    • SHA256

      3654d2e5e2df56f0559fd705ddf330c0d7b72d4794d88d5e58d6884ecc1fabf1

    • SHA512

      9e53ee71f2e8282958e82108f75bc59b993d8a29b99d3162c50b5716a9f8ae9e71d22e7364f364c0d8c534b9afab9a498bf78b52dcc93868d960c346ce5e65e9

    • SSDEEP

      6144:kd4UcLe0JOqPQZR8MDdATCR3tSv0W8pSdc6qeRAtYgHBZ2wSj:3UP/qPQZR8MxAm/S8W8KqqXYg

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Abuses OpenXML format to download file from external location

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks