General

  • Target

    30102024_0722_Kemilab-291024Updatedpricelist.vbs.gz

  • Size

    329KB

  • Sample

    241030-jgja7sxpas

  • MD5

    6261b2fa2e7435cfa1f5c6eb9e9ef881

  • SHA1

    4ffacfc4616515f46d96b25e0f5274b552a9621c

  • SHA256

    9c846be3b660bd458875edf13af88e8e855e934c09458b3e5e469f788136edaf

  • SHA512

    9e20d3f152b5b1ed4d6054a0db38f1f6e1a7c38efd12c59e15dfc300b5b281461c46cb20a9f1b68821171eda73a1bb889d620a009b66d019710ea88bb6cf9492

  • SSDEEP

    6144:ci5o+pLlXJ1tnin9NmIH9/mRBi0Jlblqj+TT7y6loQDQ0CS1XXhVcDB/cL:cKl51tiCGmBiGYj+TTrhDQ0dcFUL

Malware Config

Extracted

Family

remcos

Botnet

duntc

C2

duntcesst.duckdns.org:53956

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-HBDZ3I

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Kemilab - 291024 Updated price list.vbs

    • Size

      762KB

    • MD5

      be194e845d98b549c86d0b9554195b0e

    • SHA1

      5385080d90d6ff6639094e0ceb8cb93ec1a76007

    • SHA256

      254fcdccf5d7bbd1b807f553d85da4213c86cc538ac0fbaef3dcd25e6b5537e2

    • SHA512

      46f37fd62aaaed52d64533f6da24078e06982b5f05ab2dfecd2a8eaef30e354835d9e77389b91d177e185f5ae341e3547bf3e6564af283a0ef638f56043f0ce1

    • SSDEEP

      6144:GLhgReyC6VWe1rl+o0c6dM5t2wgtTuIflUbbp5lrmhKgzoCMWkm3Lvf3/0gFKMcu:dov97Hfeaz86Cq1BQVglyLE1HfJyuWo

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks