General

  • Target

    4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769.exe

  • Size

    976KB

  • Sample

    241030-cv59katjf1

  • MD5

    fa638e5dcb26f16f0c960ed10f387782

  • SHA1

    85fefdf55321e998f93ebb52c63c275863e14e21

  • SHA256

    4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769

  • SHA512

    f1ccbd0af2a2bb0935df69f4471260c1056c5cca587294154dc0794f4642b381bbf87de5a757afa711434d17787cfa94e652c60f5a55ac51522626581f790bae

  • SSDEEP

    24576:KVLOy/gpKgVD/MXQPlv2aOxwyi85CDRmueO0kF:K9ObpKkMgPlv2aOyyP5CxX

Malware Config

Extracted

Family

remcos

Botnet

TEEWIRE10/27/24

C2

teebro1800.dynamic-dns.net:2195

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ISGDIO

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769.exe

    • Size

      976KB

    • MD5

      fa638e5dcb26f16f0c960ed10f387782

    • SHA1

      85fefdf55321e998f93ebb52c63c275863e14e21

    • SHA256

      4aa7d5055d37293efea2b6d715e655f07f3b153f31651278c7576575e7247769

    • SHA512

      f1ccbd0af2a2bb0935df69f4471260c1056c5cca587294154dc0794f4642b381bbf87de5a757afa711434d17787cfa94e652c60f5a55ac51522626581f790bae

    • SSDEEP

      24576:KVLOy/gpKgVD/MXQPlv2aOxwyi85CDRmueO0kF:K9ObpKkMgPlv2aOyyP5CxX

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks