General

  • Target

    6afa6e45dd17f3db5a8d4e3856f735844a6607ed805fef058e207b1bdc5c19f7.jar

  • Size

    905KB

  • Sample

    240810-btawlazajl

  • MD5

    0ae5021742ffd24c70aa90999cc0a8ce

  • SHA1

    fe008ebf0d4740849e4a9e746e54a66ddd442c29

  • SHA256

    6afa6e45dd17f3db5a8d4e3856f735844a6607ed805fef058e207b1bdc5c19f7

  • SHA512

    e4afadb374ddbcf69df3bbc296b54f76692e32eacb66820506196adc608cae2fe0af182ccb9c6bc4d885ecc4fa776eca87e41c2450a805b18e475cc829b508e9

  • SSDEEP

    24576:OsnL1AOSod4Beq8szA+cPcad/QeBh7Jm+MZKXVVlTU3:OsL1AxXzGEU/QO7Jm+MZSVlTe

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

eadzagba1.duckdns.org:4877

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-X3UMUO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Request for Quotation.exe

    • Size

      942KB

    • MD5

      81f320c7d5f344ae0ddd2b05c69efb78

    • SHA1

      dcfae138ee23d9cea53a052cfe3c42e87c1873e5

    • SHA256

      de99d33baf08708519ab2d9dc15635280482b2b21e52653b8786a6eb34c2f262

    • SHA512

      cb94f64fd7979917ba1d32a3966e22e9afce0766f58cf15e23a7f1a00d6b2f7cfd1e9b07edcd4c76e7471d89690d142e1ddaa23ea09d95b0f9eb17517d9189e7

    • SSDEEP

      24576:BYeOKhefMa86dA+CPcwh/6s7TNNuS6UEtvqsX+ES:2trdsEE/6mNNuS6UEtvHO

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks