General

  • Target

    AWB 5596370080 Documents.gz

  • Size

    887KB

  • Sample

    240723-q8lc7stcmj

  • MD5

    8e1ff426694b680b166d92c1d92863f9

  • SHA1

    033cf1d2087b978ee425eb20a470ada41f74dd65

  • SHA256

    1b4991d36f09f8cb146534524957f89da72621057cce18a95335b001566b08b2

  • SHA512

    a3874478d8009e7b782a30d71c1138415bdb3a0491e33975c8de3e74a0d1d12dc9e4fdd5768c27f0573c772e877e4be2ebb229179b8698f9ef5a8a51756a0fa1

  • SSDEEP

    24576:YR9UtmVyyP+ojt5FGxPEEvlqayxOCvHnJ2s+v:YRWmEyP+MGjvlNWn1s

Malware Config

Extracted

Family

remcos

Botnet

5764576

C2

172.93.218.178:45667

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    765-XJJE0J

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      AWB 5596370080 Documents.exe

    • Size

      934KB

    • MD5

      1ef0c7abe1471a69b746d6b0605ce71f

    • SHA1

      ca1cae85ebb6120908d39d45b1ffa232daeff544

    • SHA256

      377e5c1f1fd2f26d7a348a6393e110800b21f0cfe7d9ecf108e7612e43f5230b

    • SHA512

      04810d34bc2e9c55d276844bd5a8a65a12ce5e73df819aa4a9ff5c25ab0e6486c5e48ce1c382887e64d7f78fd4044c4ffa7872250eb51ce13340d4de109478e5

    • SSDEEP

      24576:sAwoIc0sIftPNPh64pCIUkbiFdb7aK8cvXrP74I6GLMbP:sFFPh6nIO/yK57hFC

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks