General

  • Target

    31102024_0254_Kaufvertrag-Markus-Daten.vbs

  • Size

    366KB

  • Sample

    241031-dd3b1swqhs

  • MD5

    28489bd43750ec8a5017ec4bb7ca68e2

  • SHA1

    90e42439a8179e56d56ffd5a2c97d7ff7f0daaca

  • SHA256

    7e6c9757b46fc71815670a8056b6db913409bb571775642ef865ea633fe41cc9

  • SHA512

    9470e3c42bf13f73bf43abdaacad0721a213b0e5b9376a2ce813ba39d55f8e154fe959dce2dd0cf6cb56904fbbf0003360e4f38e576cf330447cb8d0b9ff1f1c

  • SSDEEP

    6144:QUad3PmM9BogPjFvVHhSZH/7h4hpAQErkpZPU/I7CIkKOmPPMWUwUhkOy96SZGFT:aQL6PErk7gvOZMmanT1A02Oh

Malware Config

Extracted

Family

remcos

Botnet

TelOu62tos

C2

www.tla-autos.com:9945

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    TeleAuto8926-8WB4GE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      31102024_0254_Kaufvertrag-Markus-Daten.vbs

    • Size

      366KB

    • MD5

      28489bd43750ec8a5017ec4bb7ca68e2

    • SHA1

      90e42439a8179e56d56ffd5a2c97d7ff7f0daaca

    • SHA256

      7e6c9757b46fc71815670a8056b6db913409bb571775642ef865ea633fe41cc9

    • SHA512

      9470e3c42bf13f73bf43abdaacad0721a213b0e5b9376a2ce813ba39d55f8e154fe959dce2dd0cf6cb56904fbbf0003360e4f38e576cf330447cb8d0b9ff1f1c

    • SSDEEP

      6144:QUad3PmM9BogPjFvVHhSZH/7h4hpAQErkpZPU/I7CIkKOmPPMWUwUhkOy96SZGFT:aQL6PErk7gvOZMmanT1A02Oh

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks