General

  • Target

    0fd996539059f60193b9ed7dfc26c4d0.bin

  • Size

    7KB

  • Sample

    240509-bdv7laca74

  • MD5

    10a8d498c01d32ceabbb87a6dc1d674f

  • SHA1

    1526b10e601a1b17dd6467181965e1e1d6055e2c

  • SHA256

    132853598c61628065a0a0d80a532e1c60fe28b8e1601f14135c00dd4b6b0684

  • SHA512

    0c750471fa9c06807873c865e988224f673cf924bcbfc6c7a06714e210d652687d84e7740f60d435942b782b28def2ffa14538531147e7fc0e4dc038a5263a4c

  • SSDEEP

    192:FkaLQdGDWdO8BnaElP1aaew/j4L4znaQ3syMtGriUEJbxPGs+K7lkM:FkaLuG6dPKW2Kna8sxnUEJt+MRkM

Malware Config

Extracted

Family

remcos

Botnet

wagon1

C2

wagonofficeteam.duckdns.org:1965

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Y8AEVF

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      e4d59d66203616fe9507e9552bb6704ad0cd31563aaf9efb1f3a0cd196d0caea.vbs

    • Size

      58KB

    • MD5

      0fd996539059f60193b9ed7dfc26c4d0

    • SHA1

      b0afe97b0e1cb624d464a9a94bb2d60c91415f51

    • SHA256

      e4d59d66203616fe9507e9552bb6704ad0cd31563aaf9efb1f3a0cd196d0caea

    • SHA512

      a9b735c2fc4e82d5339a097fda3f2f215f8b73af65f70608fa8d2886ff9fec0f4cc14fe3debeda4458f3e6590bf996af9315cb84f74e42e67a4e29bde0df56d4

    • SSDEEP

      384:FZAaML0xUFUIZK6npMSnBIRpuokp6jM1L7Kc0ZqEXJg:7xxe7iSnBIRgokpq9ZZZg

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks