General

  • Target

    d9ec6827066afb3585d4c9387120f8fbba598ea3a2d23fda4350684f62f0caa2

  • Size

    1.3MB

  • Sample

    240729-j8zr9stgka

  • MD5

    eeeb960358940a5b53653cc7fc3860da

  • SHA1

    ac12c07bda2dd47c519cd20aa8a1f6ba5da7e694

  • SHA256

    d9ec6827066afb3585d4c9387120f8fbba598ea3a2d23fda4350684f62f0caa2

  • SHA512

    d30645d98196b1eb5b96887bbcf7904c723b47b899ba61d978143fa23c1df72524b502346e270b5322eed732441d88be6fb49d0bdd238247157e852b3640e1cd

  • SSDEEP

    24576:GB4ROjfxIJzD0WIZ4T9nb061Thsjz6dTOYLrLjFQV/OPi5VRch1ZxGroi:GuIdc0RC5u36dTOYvFG/75VRIioi

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:54888

zuesremmy.duckdns.org:54888

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-Z19JY9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Payroll for July.PDF.bat

    • Size

      4.9MB

    • MD5

      221325197f9623e7be8285e05b28c8db

    • SHA1

      e96b0bf85a8b3e9544eed7b2db4db08bbaee5707

    • SHA256

      68711195c07e287987488f7045c7147501ccfbae22318b8460d01a86d2f09599

    • SHA512

      30b445175c2700065cfecc18d839f4129297435f94649fc5f5fdc489a3151e4544abcf40e2923e2d2002e438f6bf03cdc4cdbd21d44344cc2306c25cc401e98e

    • SSDEEP

      49152:qILm52gH9tPNjLtDgqYQQLg74MmPp1E1TlUQdbKvqsCOP1Ru4JmB/po9c4:5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Accesses Microsoft Outlook accounts

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks