General

  • Target

    15082024_0855_14082024_GST_debit note -Aug 2024.rar

  • Size

    557KB

  • Sample

    240815-kvlh6azbnm

  • MD5

    1a113bc09cbb7e11824e586b471e75ab

  • SHA1

    dc45c053f6e7b612a2647c84136c957bc092c3df

  • SHA256

    dab4b15e4bd5233f51c8abf8e15cbe1196e2a1b0e328967009f1955acee6ab34

  • SHA512

    71ce09e643b74769d5c77ae814d5620dbd28cd5aff3f2aa6e570e9e7dc68b93c91393c5b292f729523af6cb933c113541f1c917fc1038117b413941dc28bb076

  • SSDEEP

    12288:iWG5DLlb9sgPxg8xisrjcQNqDWTyrs8p+xCsSxVvqVX9Wr9gdF:m5HlxsktrgQsDDMxCswqgyF

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

credit

C2

213.152.187.220:27873

stcchd.duckdns.org:27873

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    note.dat

  • keylog_flag

    false

  • keylog_folder

    credit

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_tgmbmthuqf

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      GST_debit note -Aug 2024.pdf.scr

    • Size

      665KB

    • MD5

      5dff2b0b6cac8c402d1f6d33b02719b0

    • SHA1

      03199418ecff1281be63fc42ee532ff0e70567e8

    • SHA256

      d878174195c4772f3f30f1d276685d1bbdecc953ea99d5f842bc36d61753f11c

    • SHA512

      fe25929cf5d5f16125265afb94f5656671483e8300f59276f2609d310f97a70a9c12d47571adfe20103be4aef4c2cd3ccdc910d61cb3fbc4c51f3c291214c844

    • SSDEEP

      12288:8dw7c65kts5uvaYqwWvHQ+8QZI5Hs6tTIQbfBV63Si61l5Z6JEAmD:8u7+tkYqwEx8Q+5JZYiZ6J

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks