General

  • Target

    544116117da37bf986d04bf94b6da210d9062ea46696e37ee5dd24ea6bdb3b54.exe

  • Size

    3.7MB

  • Sample

    241113-vhaagavnfy

  • MD5

    003d16076aa5fdfea7c57b61ac94be32

  • SHA1

    2faa88f6ef995584f4bff132ead92d780112f803

  • SHA256

    544116117da37bf986d04bf94b6da210d9062ea46696e37ee5dd24ea6bdb3b54

  • SHA512

    5237a766c6771d715dd2928ca6d1b54bb638ff4f278394aec681700b32105bbe6dd51a44ccbf84ff628ce0b2fee1367930a7bfb48b5a46f4ad91f8789d4cc92e

  • SSDEEP

    12288:8EsEqWDSTFM2Txgi4bEcxpzYiwpb5ZaHhhx8FNA+fyXETyTyt8spi6ixg4dy:9qWD0MsgbZp8yzmbA+fJTyTytxpqz8

Malware Config

Extracted

Family

remcos

Botnet

GASPLANT

C2

dotatech.de:30908

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    chrome-SYTYBI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      544116117da37bf986d04bf94b6da210d9062ea46696e37ee5dd24ea6bdb3b54.exe

    • Size

      3.7MB

    • MD5

      003d16076aa5fdfea7c57b61ac94be32

    • SHA1

      2faa88f6ef995584f4bff132ead92d780112f803

    • SHA256

      544116117da37bf986d04bf94b6da210d9062ea46696e37ee5dd24ea6bdb3b54

    • SHA512

      5237a766c6771d715dd2928ca6d1b54bb638ff4f278394aec681700b32105bbe6dd51a44ccbf84ff628ce0b2fee1367930a7bfb48b5a46f4ad91f8789d4cc92e

    • SSDEEP

      12288:8EsEqWDSTFM2Txgi4bEcxpzYiwpb5ZaHhhx8FNA+fyXETyTyt8spi6ixg4dy:9qWD0MsgbZp8yzmbA+fJTyTytxpqz8

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks