General

  • Target

    d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe

  • Size

    932KB

  • Sample

    240810-b6bzeszfnn

  • MD5

    15c127b849650f0c43f5681f8399a090

  • SHA1

    efe8542f6e4612a1bddd0f3e29c99f4b70cbc9b3

  • SHA256

    d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca

  • SHA512

    b3df32ed3caad831ae02bb7ed72d34747f1e76ec505d3a49a2dceef0207acbcd08c5aea4241ec777035b1896c80df084b85807a51a9fa1dbb6750bc547000bf0

  • SSDEEP

    24576:nxv7AOUeJ5BWiJ5K1xKtk4mPbUc39ZDhzq39A:xv7cmWOU1Sk46bUUZDQ

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.250.180.178:7902

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    Adobe.exe

  • copy_folder

    Adobe

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Adobe-OTOIRK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca.exe

    • Size

      932KB

    • MD5

      15c127b849650f0c43f5681f8399a090

    • SHA1

      efe8542f6e4612a1bddd0f3e29c99f4b70cbc9b3

    • SHA256

      d3ab0c4ddfbdbce6b1f200436de1c9d1f94567b06a420dc453d02460452cebca

    • SHA512

      b3df32ed3caad831ae02bb7ed72d34747f1e76ec505d3a49a2dceef0207acbcd08c5aea4241ec777035b1896c80df084b85807a51a9fa1dbb6750bc547000bf0

    • SSDEEP

      24576:nxv7AOUeJ5BWiJ5K1xKtk4mPbUc39ZDhzq39A:xv7cmWOU1Sk46bUUZDQ

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks