General

  • Target

    11072024_0801_11072024_Factura32589102675661702066098721813514290110013813751186178887533940556.7z

  • Size

    503KB

  • Sample

    240711-jwqntszamb

  • MD5

    a213603c387c90f748ed63b92a9e179c

  • SHA1

    6c3f35bba64357e8de77b5d72e6c65547552b167

  • SHA256

    89b3b369e3b07ecf9cf72de6708fe585619bdc7a1ac0d9552b8573e6384649ae

  • SHA512

    d7b60fd998b45357e538afb23c846b607f20174e807ab3a435b35bb82a39b75bbc4a21ceed6a57c9630e9b12ff05d184821ae6053e6176aa815975348714bef2

  • SSDEEP

    12288:TP6ShDXAN2LDJHe7Exom3akIBb6L7BA3er978GXjBQE:zvhLAuD2Bm3cxu5oGz9

Score
10/10

Malware Config

Extracted

Family

remcos

Botnet

Start

C2

185.196.9.78:24041

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    log.dat

  • keylog_flag

    false

  • keylog_folder

    System01

  • mouse_option

    false

  • mutex

    Rmcxyz1-AEDW2I

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Factura32589102675661702066098721813514290110013813751186178887533940556.exe

    • Size

      235.0MB

    • MD5

      fa51063cb831d7c093e72de83d927e09

    • SHA1

      3235fc94c49d40ac1674d526bd84121f59064928

    • SHA256

      d2c2eb711a020d0941c2d24d03db3d1b0bdfbc2399ce795aa1d00997ef9bc6a2

    • SHA512

      b2920aee0c91950f50e88411d57182dd895cbf31b7518e2f8a110c0a8f65cfcf1ec9b9f63b3d2765694c44a71fba005c69947ccdfb1cacffc3e36ffb1241073f

    • SSDEEP

      12288:alQGCoTPUMMucemBbNp68Muq1nnv3nhGvyq1slToG:alnMTBbSZBnv3REsNn

    Score
    10/10
    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Executes dropped EXE

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks