General

  • Target

    322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe

  • Size

    910KB

  • Sample

    240814-k6rvbatgng

  • MD5

    129ab29e55efb205471261bc48380372

  • SHA1

    75670ebbf86906138538caad68b5a75f17097be3

  • SHA256

    322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24

  • SHA512

    8020ed1d32fce5d9931da0e52b501c985de294c323a3d70a1f3873642f1a323f79479d555ddb5c2991d68c4300cbb95607e7582f42213080798a8d9de78a70e9

  • SSDEEP

    24576:qzKGObd+rcjuV/B1mV4uhB4tqyJy70oRXr85ABIxWD:qzKGOorcc8Q5k70o5g58Ixc

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.243.155:7643

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-C9YEJ8

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24.exe

    • Size

      910KB

    • MD5

      129ab29e55efb205471261bc48380372

    • SHA1

      75670ebbf86906138538caad68b5a75f17097be3

    • SHA256

      322c8e0ba72b41a9ee9ebdeeb1b1d71cefd9ed9674e285efed105c0918834b24

    • SHA512

      8020ed1d32fce5d9931da0e52b501c985de294c323a3d70a1f3873642f1a323f79479d555ddb5c2991d68c4300cbb95607e7582f42213080798a8d9de78a70e9

    • SSDEEP

      24576:qzKGObd+rcjuV/B1mV4uhB4tqyJy70oRXr85ABIxWD:qzKGOorcc8Q5k70o5g58Ixc

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks