General

  • Target

    dc234TCLU9801307.xls

  • Size

    239KB

  • Sample

    240430-mnhj2aaa92

  • MD5

    0ea66e7eca8aa73fd78470a9e207a180

  • SHA1

    1414b37d9e5692e705da91f835e17cf1dcbc5bb2

  • SHA256

    1fb0cdc421a18a19eaf0de44c9d467fe76b8af9b65b6174c7de9d2d435196b10

  • SHA512

    57ffe2fd466bca8a3eb06d484aa0a5e868b22cd3d71a511215a085da9f4b62ae532a939ef5ab7f88bd6d428b5b5230d4a3525fd5a724990a0082bd78fbc61c66

  • SSDEEP

    6144:pd4UcLe0JOqPQZR8MDdATCR3tSv0W89IFX913ufj2J:MUP/qPQZR8MxAm/S8W89Hg

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    nots.dat

  • keylog_flag

    false

  • keylog_folder

    note

  • keylog_path

    %Temp%

  • mouse_option

    false

  • mutex

    Rmc-999Z97

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      dc234TCLU9801307.xls

    • Size

      239KB

    • MD5

      0ea66e7eca8aa73fd78470a9e207a180

    • SHA1

      1414b37d9e5692e705da91f835e17cf1dcbc5bb2

    • SHA256

      1fb0cdc421a18a19eaf0de44c9d467fe76b8af9b65b6174c7de9d2d435196b10

    • SHA512

      57ffe2fd466bca8a3eb06d484aa0a5e868b22cd3d71a511215a085da9f4b62ae532a939ef5ab7f88bd6d428b5b5230d4a3525fd5a724990a0082bd78fbc61c66

    • SSDEEP

      6144:pd4UcLe0JOqPQZR8MDdATCR3tSv0W89IFX913ufj2J:MUP/qPQZR8MxAm/S8W89Hg

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Abuses OpenXML format to download file from external location

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks