General

  • Target

    tmpy6o_6f_o

  • Size

    2.6MB

  • Sample

    240814-j5jxmswgpq

  • MD5

    61ef99c483cd4ef6c2eeac450629820b

  • SHA1

    99b2b9e45e89bae62bfeeb631278100abb1d246d

  • SHA256

    fef0bccaba1cf7fe16cd4c750e280e09ee68e95818fb3db648362dfaa47dc601

  • SHA512

    81f30f5d7d16dac4b5e1d7324e1b9259ada251523d13b6079a6f68b10df01f03bfbdf56cd23e39c666022206adb314cbd2931482ec277fffaaa1ef412282173b

  • SSDEEP

    49152:4rasJSuxF9rdUbJ2wMt7QjKuBQucL49Vd1JScFdtNYUy3N5508jY:mxD6v3w2YUSN5bY

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

eadzagba1.duckdns.org:4877

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-X3UMUO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      tmpy6o_6f_o

    • Size

      2.6MB

    • MD5

      61ef99c483cd4ef6c2eeac450629820b

    • SHA1

      99b2b9e45e89bae62bfeeb631278100abb1d246d

    • SHA256

      fef0bccaba1cf7fe16cd4c750e280e09ee68e95818fb3db648362dfaa47dc601

    • SHA512

      81f30f5d7d16dac4b5e1d7324e1b9259ada251523d13b6079a6f68b10df01f03bfbdf56cd23e39c666022206adb314cbd2931482ec277fffaaa1ef412282173b

    • SSDEEP

      49152:4rasJSuxF9rdUbJ2wMt7QjKuBQucL49Vd1JScFdtNYUy3N5508jY:mxD6v3w2YUSN5bY

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks