General

  • Target

    665029b14081d957509bdf72be22ab7fd8f5aa2f63ad55339fe4d006647b9a29.exe

  • Size

    908KB

  • Sample

    240720-l61ynaxdln

  • MD5

    6f8665a0d465fbaa7bbb0ff771498996

  • SHA1

    b464d455a70826f65e6877ec2e116e8ed9bfe80d

  • SHA256

    665029b14081d957509bdf72be22ab7fd8f5aa2f63ad55339fe4d006647b9a29

  • SHA512

    c5470b656a878ff414a5037688f1439c928bf81adddd1f65cb8349a0b5a5cd9f44cc2df769426a7a7b6d88245bc6cca90a5e6489d6899039aeb292498c011463

  • SSDEEP

    24576:jAypqRY5K5LWWYe1vKQ3vHR4Q27L0o4Qry/BgX4s:j7cDYGiQ3vHSLYQrypg5

Malware Config

Extracted

Family

remcos

Botnet

NewRemcosFile

C2

185.29.9.110:2404

tradezonedns.duckdns.org:2404

www.ozkol-aluminyum.com:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    vipvipvip

  • mouse_option

    false

  • mutex

    Rmc-42D02C

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      665029b14081d957509bdf72be22ab7fd8f5aa2f63ad55339fe4d006647b9a29.exe

    • Size

      908KB

    • MD5

      6f8665a0d465fbaa7bbb0ff771498996

    • SHA1

      b464d455a70826f65e6877ec2e116e8ed9bfe80d

    • SHA256

      665029b14081d957509bdf72be22ab7fd8f5aa2f63ad55339fe4d006647b9a29

    • SHA512

      c5470b656a878ff414a5037688f1439c928bf81adddd1f65cb8349a0b5a5cd9f44cc2df769426a7a7b6d88245bc6cca90a5e6489d6899039aeb292498c011463

    • SSDEEP

      24576:jAypqRY5K5LWWYe1vKQ3vHR4Q27L0o4Qry/BgX4s:j7cDYGiQ3vHSLYQrypg5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks