General
-
Target
BILLOFLADING-IMPORTS-DOCS.exe
-
Size
1.6MB
-
Sample
240520-m8w8xsgg24
-
MD5
a10f8a0cc9559e86df8b35b36192f10a
-
SHA1
f00b29322c2b1664ab8c12be02c7b6d631a94ab3
-
SHA256
6635a58c79d9128fb9427ca417b6d329fcb387eeeb0355086968bfa2b9e13abd
-
SHA512
c3f174412af6a299fa5d7fe524ab791b30c821b105b961e42f9444826f761a4892e5c73d6d9e8b1aeab01f2528c30062bcebb4701b8bb06f369b02f29340c54d
-
SSDEEP
24576:S5pcAD5VQ8dJ6tsPVi9+vx7+3LStGd1yZLv4z+wmh5OrmXIY4oGcTot3eA6wC:l8u9+piYGd1yZ0zuh5AHcexi
Static task
static1
Behavioral task
behavioral1
Sample
BILLOFLADING-IMPORTS-DOCS.exe
Resource
win7-20240221-en
Malware Config
Extracted
remcos
WK
embargogo237.duckdns.org:10521
embargogo2378.duckdns.org:10522
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
iexplorer
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
zmt-C10PFT
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
BILLOFLADING-IMPORTS-DOCS.exe
-
Size
1.6MB
-
MD5
a10f8a0cc9559e86df8b35b36192f10a
-
SHA1
f00b29322c2b1664ab8c12be02c7b6d631a94ab3
-
SHA256
6635a58c79d9128fb9427ca417b6d329fcb387eeeb0355086968bfa2b9e13abd
-
SHA512
c3f174412af6a299fa5d7fe524ab791b30c821b105b961e42f9444826f761a4892e5c73d6d9e8b1aeab01f2528c30062bcebb4701b8bb06f369b02f29340c54d
-
SSDEEP
24576:S5pcAD5VQ8dJ6tsPVi9+vx7+3LStGd1yZLv4z+wmh5OrmXIY4oGcTot3eA6wC:l8u9+piYGd1yZ0zuh5AHcexi
-
Looks for VirtualBox Guest Additions in registry
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4Scripting
1Virtualization/Sandbox Evasion
2