General

  • Target

    GDVCDDD.tmp.zip

  • Size

    787KB

  • Sample

    240509-2lc9vsaf7t

  • MD5

    5f71607d12581d8d425c75bb47e09505

  • SHA1

    76f9f40e8bcdbebf7dbf3625c9e8e930011eb56a

  • SHA256

    be32aacbb47498a6126f1f1b2318be29431ebd6fbd09812a61d734b6c1f14574

  • SHA512

    e39e4e9896a84df890d73473873a02541a758cbded50b5b242c170ff39bd3f7749ec8c3210ba55439e033eb69c93c9f435981c5432f2ca3c7158110dfcf7b537

  • SSDEEP

    12288:PsCwfpg4MpBlhFNyfwOJ9rA2rlCfu5yp5Fdayk6qX0LZhBWlhrn8zvaMvaKpmzxD:PsGpBlhyYKhPA2spTZk6qX0N/iiaKsoq

Malware Config

Extracted

Family

remcos

Botnet

1218202300

C2

softwareupdatexkwre.duckdns.org:45682

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    hdgd-8HWPTM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      AWB JGS-002-20240507 DOCUNMENTS.exe

    • Size

      811KB

    • MD5

      ee60d483d59011c989fc7a56deca8923

    • SHA1

      dd414ba3307c37ff440c7bb84410f803acaaa711

    • SHA256

      8e74e39d47f93876716dd58b3aa2d0e009a67354b5eb09a12bdd65ac9a319ba7

    • SHA512

      313695b597d205432e27ac65be3c028686ffa2dd98bd3543ba09659997a4e7005ec04593b4131843714187b18a95bb381106080848894ce1ac59e5c15c6aa197

    • SSDEEP

      12288:PYV6MorX7qzuC3QHO9FQVHPF51jgcwNE4fIwfx/nA57lYrCUaP1OyFjsd:cBXu9HGaVHqE4g8nA5CrXazFj0

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    • Target

      out.upx

    • Size

      1.3MB

    • MD5

      a43a498c1226f06fb7061f5e8ae714c4

    • SHA1

      810d1c3eabdc7223762417c3acf14cfa5af28b27

    • SHA256

      97c0ba69ba0959ecda8193e99ec0af0a1607ddd4dcefbf1572427f0c8768c49e

    • SHA512

      e68fe09994f88e8d5f2e47444f1244b8340158a43cbf9dc54970b2be37df3b51b3ecf666af971a75cf9479e483e6c4ad9876adabc1396109dd51fabf117213c6

    • SSDEEP

      24576:lAHnh+eWsN3skA4RV1Hom2KXDmmE4g8nA5CrXazFj0:Uh+ZkldoPKzvO8nA5C7azV

    Score
    1/10

MITRE ATT&CK Matrix

Tasks