General

  • Target

    4.exe

  • Size

    811KB

  • Sample

    240509-rbygyagb58

  • MD5

    ee60d483d59011c989fc7a56deca8923

  • SHA1

    dd414ba3307c37ff440c7bb84410f803acaaa711

  • SHA256

    8e74e39d47f93876716dd58b3aa2d0e009a67354b5eb09a12bdd65ac9a319ba7

  • SHA512

    313695b597d205432e27ac65be3c028686ffa2dd98bd3543ba09659997a4e7005ec04593b4131843714187b18a95bb381106080848894ce1ac59e5c15c6aa197

  • SSDEEP

    12288:PYV6MorX7qzuC3QHO9FQVHPF51jgcwNE4fIwfx/nA57lYrCUaP1OyFjsd:cBXu9HGaVHqE4g8nA5CrXazFj0

Malware Config

Extracted

Family

remcos

Botnet

1218202300

C2

softwareupdatexkwre.duckdns.org:45682

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    hdgd-8HWPTM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      4.exe

    • Size

      811KB

    • MD5

      ee60d483d59011c989fc7a56deca8923

    • SHA1

      dd414ba3307c37ff440c7bb84410f803acaaa711

    • SHA256

      8e74e39d47f93876716dd58b3aa2d0e009a67354b5eb09a12bdd65ac9a319ba7

    • SHA512

      313695b597d205432e27ac65be3c028686ffa2dd98bd3543ba09659997a4e7005ec04593b4131843714187b18a95bb381106080848894ce1ac59e5c15c6aa197

    • SSDEEP

      12288:PYV6MorX7qzuC3QHO9FQVHPF51jgcwNE4fIwfx/nA57lYrCUaP1OyFjsd:cBXu9HGaVHqE4g8nA5CrXazFj0

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks