General

  • Target

    FG098700000000.exe

  • Size

    768KB

  • Sample

    240819-rrbywaseqm

  • MD5

    989054c5af86019ccfa32642ae628639

  • SHA1

    5fe55707a4eebd51723ea950aa80d3a49e810207

  • SHA256

    1f75782173ef3b1b68650a95b7846bb35faa400d53b52fc1ad8b65a86bc72c88

  • SHA512

    401e5f2508ddc81d24047cbf707f35c121fcc07c9e2be6f477175ee275e970a52e0aedb905ce0ca026645477d4b89dfb989dc9361302c037d632d67fe3e128d9

  • SSDEEP

    12288:oYV6MorX7qzuC3QHO9FQVHPF51jgcHJqOhTbYQ270cUq+rMxw0GakFQjIE8xQPPK:HBXu9HGaVHH75bYjVM1T4M3aCjpn7

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.175.229.139:8823

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-2BGC0K

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      FG098700000000.exe

    • Size

      768KB

    • MD5

      989054c5af86019ccfa32642ae628639

    • SHA1

      5fe55707a4eebd51723ea950aa80d3a49e810207

    • SHA256

      1f75782173ef3b1b68650a95b7846bb35faa400d53b52fc1ad8b65a86bc72c88

    • SHA512

      401e5f2508ddc81d24047cbf707f35c121fcc07c9e2be6f477175ee275e970a52e0aedb905ce0ca026645477d4b89dfb989dc9361302c037d632d67fe3e128d9

    • SSDEEP

      12288:oYV6MorX7qzuC3QHO9FQVHPF51jgcHJqOhTbYQ270cUq+rMxw0GakFQjIE8xQPPK:HBXu9HGaVHH75bYjVM1T4M3aCjpn7

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

MITRE ATT&CK Enterprise v15

Tasks