General

  • Target

    ff4cba93f8beaafef07616a6c47729bf7bc6a146d446264ac2154d51b1b7c5ba

  • Size

    392KB

  • Sample

    240919-latvga1djc

  • MD5

    7d812cadbca8a914e5988ff554b0b79f

  • SHA1

    2784df21bb330ac2af1830ee99d70869219d3a12

  • SHA256

    ff4cba93f8beaafef07616a6c47729bf7bc6a146d446264ac2154d51b1b7c5ba

  • SHA512

    080a5ad169d8292d3e281957c928bf3fd127e39be15218b9877b3c5271095af92c893ad61b4715086488ac3de5e96caaf0edc910f46ce12e1d3ee370b18bb40a

  • SSDEEP

    6144:ApmKNN2SD5/Kl9owgZX0XJdS6Sph+q7NNZuv0T1JtX5PXjXnCgLa52k0Sn:xKH5/uowgZEXJdS6S7+GNsutjXEck00

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

subddfg.lol:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7DPFW5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Quotation.exe

    • Size

      501KB

    • MD5

      0b4ee9f14e7bd0aa331c61ebe5976309

    • SHA1

      d1f020ae7b3a5c5365af80f2a57cb724e28f341d

    • SHA256

      346469ceacfe6c1436f98f34d5f8ecbbd5d64bc077818b662e360be60c407160

    • SHA512

      ea3b21ba9aa8706a0bf41346ec07aad1938029d9b9c7b3d73c34343451f71e80790c43304eace971909f47577ae56100d0d9e24ae55a9ad2f9f0988c044ac623

    • SSDEEP

      6144:mC2Evn/IvIrb2mfrBaieg9X0XJxS6Iph+q7NNRuv0j1JtX7PXjrnCgLa526bvUpk:jnC8Cmf8ieg9EXJxS6I7+GNEgzjLEcvk

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      375e8a08471dc6f85f3828488b1147b3

    • SHA1

      1941484ac710fc301a7d31d6f1345e32a21546af

    • SHA256

      4c86b238e64ecfaabe322a70fd78db229a663ccc209920f3385596a6e3205f78

    • SHA512

      5ba29db13723ddf27b265a4548606274b850d076ae1f050c64044f8ccd020585ad766c85c3e20003a22f356875f76fb3679c89547b0962580d8e5a42b082b9a8

    • SSDEEP

      192:MPtkumJX7zB22kGwfy0mtVgkCPOs91un:9702k5qpds9Qn

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      4bbc9d77ef7f748f8c85750c3a445f0a

    • SHA1

      d57a8304bb44ccdb3163b880b3c1bb213461399d

    • SHA256

      482536968672d70279a5204060ff84ace25237f24b1bdf3b02e289d50ea5450c

    • SHA512

      b9430939daab0c8b7e77b96f2f7f85e8e1abd9f43eccbdf94078f77ef05b31a2a31f04ca3a2eff5aa7cc965029ed437af2eb100c197ef51f128ca827ad20e902

    • SSDEEP

      96:z7GUxNkO6GR0t9GKKr1Zd8NHYVVHp4dEeY3kRnHdMqqyVgN63e:fXhHR0aTQN4gRHdMqJVgNp

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks