General
-
Target
2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81.xls
-
Size
244KB
-
Sample
240525-bhck2shb3z
-
MD5
097581fd59cba7e6f3ef2623c380ffcb
-
SHA1
d941e4a177de4815cfe667f0282f0ee8eaabde0a
-
SHA256
2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81
-
SHA512
6628fc508369c4b622e790084b8e379ed432d2985cb2375cd90528bb6ef89568131d8ebec4a62f1202c56170a98bd2c766f937c336e09f011992f6760112a61a
-
SSDEEP
6144:ue4UcLe0JOqPQZR8MDdATCR3tSul0W8ETwFN3sm4Lc7qRcz0DLdvU:EUP/qPQZR8MxAm/SbW8E8N394oeuMLq
Malware Config
Extracted
remcos
RemoteHost
sembe.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
nots.dat
-
keylog_flag
false
-
keylog_folder
note
-
keylog_path
%Temp%
-
mouse_option
false
-
mutex
Rmc-999Z97
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81.xls
-
Size
244KB
-
MD5
097581fd59cba7e6f3ef2623c380ffcb
-
SHA1
d941e4a177de4815cfe667f0282f0ee8eaabde0a
-
SHA256
2feab58698094b0d257ef35fca431f020a8d08d622bb629d0cc9e681a1af0a81
-
SHA512
6628fc508369c4b622e790084b8e379ed432d2985cb2375cd90528bb6ef89568131d8ebec4a62f1202c56170a98bd2c766f937c336e09f011992f6760112a61a
-
SSDEEP
6144:ue4UcLe0JOqPQZR8MDdATCR3tSul0W8ETwFN3sm4Lc7qRcz0DLdvU:EUP/qPQZR8MxAm/SbW8E8N394oeuMLq
Score10/10-
Remcos
Remcos is a closed-source remote control and surveillance software.
-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Abuses OpenXML format to download file from external location
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-