General

  • Target

    12112024_2353_DocumentBT24pdf.vbs.zip

  • Size

    46KB

  • Sample

    241113-ab851asnbv

  • MD5

    cc7b71a27716274190e3716e0d3cc349

  • SHA1

    2b49521f8c1833ceef370033e130f38119fd5163

  • SHA256

    eb88df06fa2f93f3615a04a593ff0c88098a6e4a9d0063dc3cfbd8931f0e625e

  • SHA512

    2ba5d97a1372255b453fbdd61ec5dfbf9551f6844cfb0ae708f9b5a74c855a9bc4883d7d3297fe46ebd56a717f29d66afb0ae3fa2626bc5881c04afad1476472

  • SSDEEP

    768:VEFQOVLjf0gRHK0G7/wpTGnnrqsb7YSxDoVYGrn9mRSRBjPM1VJdw0HwUMg4/1/O:VEqOVLjf0gRHsITGnVYuDoCGbktVJFnj

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

dvlqrd8dhs.duckdns.org:46063

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0IGFAQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Document BT24·pdf.vbs

    • Size

      86KB

    • MD5

      acd9a75b2f33064da7ebef088ed16cb9

    • SHA1

      8f51e47a0454c8032e2ecd90f85bb115e80b5f35

    • SHA256

      cecb613e2e7877b680323862198f05c9634c1dc3e7c64ed95cc3154e9c5e9fd4

    • SHA512

      06525377cfdc4e75fab11fd907a65c611bb9c880fe56bc68b3baa108b266e472813d3824969d6e6584c6b7d90b65379dfc633a15ef17bf24705a8195a5c657b3

    • SSDEEP

      1536:970ty9v0kvBGd9pOpuoNvhvJELsj+qOhkqXzkx5c3cYdg51VWXaAj2yTk:9Qk9vh5U9QLzFOhbwx5c3cYdqVWrTk

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • UAC bypass

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks