General

  • Target

    FLUID CONTROLS PRIVATE LIMITED.gz

  • Size

    904KB

  • Sample

    240808-nmlezawgpa

  • MD5

    5d090a2ff938a968e57bf8dad49f9136

  • SHA1

    ab525228d6224df4d0dff20f1696bac67fb1b0a1

  • SHA256

    32af7d27814501faca5d3b86b3d1b9ac2f75800526c3f6a899074d15146d811b

  • SHA512

    779bb0cdc458466a77a581dcdb679d22d6b6d087fdc4b4cff0bc53b4d05fb07b9ca5c996de5c66fdbfb43a2551f85d3390f56a72f3988de0d6cf2dec895b8d95

  • SSDEEP

    24576:Ptps2uiQdOJgpHImaDD0WIP5oRcL0wlszTOnWe2VFO:89OJkHg0fjUzT+Wxa

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

eadzagba1.duckdns.org:4877

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-X3UMUO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      FLUID CONTROLS PRIVATE LIMITED.exe

    • Size

      942KB

    • MD5

      81f320c7d5f344ae0ddd2b05c69efb78

    • SHA1

      dcfae138ee23d9cea53a052cfe3c42e87c1873e5

    • SHA256

      de99d33baf08708519ab2d9dc15635280482b2b21e52653b8786a6eb34c2f262

    • SHA512

      cb94f64fd7979917ba1d32a3966e22e9afce0766f58cf15e23a7f1a00d6b2f7cfd1e9b07edcd4c76e7471d89690d142e1ddaa23ea09d95b0f9eb17517d9189e7

    • SSDEEP

      24576:BYeOKhefMa86dA+CPcwh/6s7TNNuS6UEtvqsX+ES:2trdsEE/6mNNuS6UEtvHO

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks