General

  • Target

    Purchase Order.zip

  • Size

    450KB

  • Sample

    240513-kddrzsfd57

  • MD5

    a8e54cd71a9542020d401b6c9b256589

  • SHA1

    9d08f90763a0207aea3b3a23f9835dacc16cfdac

  • SHA256

    e6f6c539da2c4a76486b2351967986aa9e56cc7afb1acf94fb363c8cb844185f

  • SHA512

    d13d8517ec67914e04d61753b4df7efaa05d7b3e321fb1507253269205aa37af205a9bc993c6e882111b8b534a7d9ef78a897d01e9b2dce6dfb2a1959eacb196

  • SSDEEP

    12288:CiAXpkxN0CxLHkpxPYDJbSl+xQsVNHpmbVeO:+X0N0CxL+gDh7Pho8O

Malware Config

Extracted

Family

remcos

Botnet

abig1

C2

tochisglobal.ddns.net:6426

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    -2MBZMJ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Purchase Order.exe

    • Size

      566KB

    • MD5

      996cd1a4008e0fca3750e9524bd13a9d

    • SHA1

      f202d20579ba03acb804f651bf66e2ab47add4c8

    • SHA256

      00473ae2a9e945343456d0193e1a5fe58c71776f42e747249a3c435b8ce7e1bb

    • SHA512

      8b71beb452cb4f03f6e9fc897ec1164f5ec8e547d3c6ee57ab5c07cca22d5cd71371f8dee45cb63e7bec838dc4b30b34a187b5e81439b3e71553b35a71f9e7b2

    • SSDEEP

      12288:ja+TesAUQUC4Mpx3Y1JbSd+xQgVN9pmdVepFq:28esAfUPGI1h3RHY8rq

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks