General

  • Target

    SwiftPaymentRef_002993d93039.7Z

  • Size

    1.2MB

  • Sample

    240508-vmhgmsgh59

  • MD5

    0f0c14d52036838e53879c2d7ee8b21c

  • SHA1

    0103d5d9f8fe6d7dfc791ec2b12015b727f9ec4e

  • SHA256

    9bfdd773846d716fbcd4837f0b7864f622072412ce5ab3fcedad413e7a40a55a

  • SHA512

    4a9820df710e36b93ee27efe91ad60a718d48ea147043fc53095a88ef2b794c4a2f7b64a6cbdbbd6b75a3dc65601eb6cc749fbae16435f514281a7d27ba99110

  • SSDEEP

    24576:1iEHFPIOiJ1hn2rGoca3rKnc42AImsDp0eES9xH97wK9mT9:c8a5/a7Knc42tmWpnJwK9mT9

Malware Config

Extracted

Family

remcos

Botnet

Swift

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    iexplorer

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    zmt-XF0CR9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      SwiftPaymentRef_002993d93039.exe

    • Size

      1.2MB

    • MD5

      6eb823ea2f01727c7f29bed5ad17a592

    • SHA1

      adfa5d6bd27a16ce33ada6fde7194ccc1a7e1192

    • SHA256

      da4fd886b7ca69a6e1eb12c6698f7b99e5623860fa3172c4c3287381051d59dd

    • SHA512

      2e70951ff4f7affe98abd5d0cf75d0f89e06a272463cfab8d98743412b930cb11d6980690b93b63935d25d797e9942341f32f645b18f6ef933d95d1ff847baad

    • SSDEEP

      24576:diEHFPIOiJ1hn2rGoca3rKnc42AImsDp0eES9xH97wK9mT:U8a5/a7Knc42tmWpnJwK9mT

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks