General

  • Target

    12cae931fcb16e4e8d7c47130275d2685dd626a2225be3af8712e9fbc6f8ac3c

  • Size

    832KB

  • Sample

    241114-flw63sveql

  • MD5

    8cffb07cd9aaca7bafdc9f71d43c354b

  • SHA1

    197ccd33fcf615b6bd0af0d936146ee2ba834eda

  • SHA256

    12cae931fcb16e4e8d7c47130275d2685dd626a2225be3af8712e9fbc6f8ac3c

  • SHA512

    9d7e7438b4d9f84e7e6f9e5378dae8c35972807a97fbd89a6a4c8f3f5e57c7337f4b782f38ed45def5b518377157baf08360d8806f026bc7ea0c82f071217d95

  • SSDEEP

    24576:lzcMlfdgWlVoVwZ57wEtlnF5zXrye7isVeebewgYwcKBI:+cfdgWlkqwUvzX+tSe73i

Malware Config

Extracted

Family

remcos

Botnet

GASPLANT

C2

dotatech.de:30908

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    chrome-SYTYBI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      LPO.exe

    • Size

      1.8MB

    • MD5

      c3bf525ab42ea2e0a37a55b290dd13bf

    • SHA1

      665e8ac35e69dc4a1fa273bd35703a201f9b074d

    • SHA256

      7a422ffa32fcdb0ca5698ef80ea3a7bed96b3fc42e008b0458256f4c680bd395

    • SHA512

      d6f71d29a5e4b94d04181791edf55d22c3640e2c4115a1b17f4d6c14b79ea0b728a06acb0a0c3848ac4edae8535cf923585af13236fdeddf0051345d083fa9d8

    • SSDEEP

      12288:qLXh08hSxuM4AUQC46V10t5hwv1xh14VGpxJz5W+EQpOIzkTJXY8I+6yi:QXNSNVt5+vPh14gxJzsQpOmkTJXY5

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • UAC bypass

    • Windows security bypass

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks