General

  • Target

    a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4.exe

  • Size

    1017KB

  • Sample

    241005-b4khsayanm

  • MD5

    673d693b0c8b68503d64ed15fd863d61

  • SHA1

    4fb6b11e933354b9f7c5bda096543a5d6b56ff83

  • SHA256

    a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4

  • SHA512

    3996083d6b2f207e742a81a1dd11277c1bdb2631438a0ee72eeec88a57ff39fb2a7c9a100b30bc2839519c3019129d2157e89d6ade8cc326c4073daf4cc2bd27

  • SSDEEP

    24576:myN887MU2cPnNupjbW/5OheoofVmhGmfCtquly:myNVQUPNudihOhRdhHIqul

Malware Config

Extracted

Family

remcos

Botnet

IRN

C2

irnserv1.ddns.net:4424

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-CA8761

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4.exe

    • Size

      1017KB

    • MD5

      673d693b0c8b68503d64ed15fd863d61

    • SHA1

      4fb6b11e933354b9f7c5bda096543a5d6b56ff83

    • SHA256

      a77754ef6de4a61024e443178b88e50be8b1994f87b323ed7fa5f2f197acdab4

    • SHA512

      3996083d6b2f207e742a81a1dd11277c1bdb2631438a0ee72eeec88a57ff39fb2a7c9a100b30bc2839519c3019129d2157e89d6ade8cc326c4073daf4cc2bd27

    • SSDEEP

      24576:myN887MU2cPnNupjbW/5OheoofVmhGmfCtquly:myNVQUPNudihOhRdhHIqul

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.