General

  • Target

    0ff8154810154e6fe8ec0e941f38b827b74fd95cc88f842f6ba999182f7aafaf.exe

  • Size

    2.4MB

  • Sample

    240724-sbz67s1hjj

  • MD5

    2b9d05f31e4b8d74f2cf6b53bd13b483

  • SHA1

    ad36b1aa5ed7d868a9a41ccbc901469037c82282

  • SHA256

    0ff8154810154e6fe8ec0e941f38b827b74fd95cc88f842f6ba999182f7aafaf

  • SHA512

    7d936b396341028968a21eafd05e4ef31ef8e635331f87f4ff7e2e3b4afcf9f031a087ca5c5a11f93e69ae7689f7e58a8ed1c3389995f2a48cbb2b20d1350307

  • SSDEEP

    49152:zhNiSevP0NP/Bok2J9wQ3Bl0IffTzWIZdQzRD4VtDWj:dNi3UNsT3dJQxR

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

bignight.net:3363

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-1XSDBO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0ff8154810154e6fe8ec0e941f38b827b74fd95cc88f842f6ba999182f7aafaf.exe

    • Size

      2.4MB

    • MD5

      2b9d05f31e4b8d74f2cf6b53bd13b483

    • SHA1

      ad36b1aa5ed7d868a9a41ccbc901469037c82282

    • SHA256

      0ff8154810154e6fe8ec0e941f38b827b74fd95cc88f842f6ba999182f7aafaf

    • SHA512

      7d936b396341028968a21eafd05e4ef31ef8e635331f87f4ff7e2e3b4afcf9f031a087ca5c5a11f93e69ae7689f7e58a8ed1c3389995f2a48cbb2b20d1350307

    • SSDEEP

      49152:zhNiSevP0NP/Bok2J9wQ3Bl0IffTzWIZdQzRD4VtDWj:dNi3UNsT3dJQxR

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks