General

  • Target

    BILLOFLADING-IMPORTS-DOCS.exe

  • Size

    1.6MB

  • Sample

    240520-m8w8xsgg24

  • MD5

    a10f8a0cc9559e86df8b35b36192f10a

  • SHA1

    f00b29322c2b1664ab8c12be02c7b6d631a94ab3

  • SHA256

    6635a58c79d9128fb9427ca417b6d329fcb387eeeb0355086968bfa2b9e13abd

  • SHA512

    c3f174412af6a299fa5d7fe524ab791b30c821b105b961e42f9444826f761a4892e5c73d6d9e8b1aeab01f2528c30062bcebb4701b8bb06f369b02f29340c54d

  • SSDEEP

    24576:S5pcAD5VQ8dJ6tsPVi9+vx7+3LStGd1yZLv4z+wmh5OrmXIY4oGcTot3eA6wC:l8u9+piYGd1yZ0zuh5AHcexi

Malware Config

Extracted

Family

remcos

Botnet

WK

C2

embargogo237.duckdns.org:10521

embargogo2378.duckdns.org:10522

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    iexplorer

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    zmt-C10PFT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      BILLOFLADING-IMPORTS-DOCS.exe

    • Size

      1.6MB

    • MD5

      a10f8a0cc9559e86df8b35b36192f10a

    • SHA1

      f00b29322c2b1664ab8c12be02c7b6d631a94ab3

    • SHA256

      6635a58c79d9128fb9427ca417b6d329fcb387eeeb0355086968bfa2b9e13abd

    • SHA512

      c3f174412af6a299fa5d7fe524ab791b30c821b105b961e42f9444826f761a4892e5c73d6d9e8b1aeab01f2528c30062bcebb4701b8bb06f369b02f29340c54d

    • SSDEEP

      24576:S5pcAD5VQ8dJ6tsPVi9+vx7+3LStGd1yZLv4z+wmh5OrmXIY4oGcTot3eA6wC:l8u9+piYGd1yZ0zuh5AHcexi

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • UAC bypass

    • Windows security bypass

    • Looks for VirtualBox Guest Additions in registry

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Windows security modification

    • Checks whether UAC is enabled

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks