General

  • Target

    RFQ Nr. 201124559-201124569-201175771.com

  • Size

    629KB

  • Sample

    241125-gxypqaymgn

  • MD5

    ea3570960a117b551ef4d63afb90594a

  • SHA1

    25e8d6660e6bdf88c78a484ecc49f1f5e862902d

  • SHA256

    b42f7b1685c9fa69b07eec4870ae1f573a48ad04c369e452482edbbfed654c24

  • SHA512

    822fd9ae05be68403868ce69aa9944b90d6a3285c8a17d1009cccff02ebd2bc10dc6434cb0473a3e5a5c58c849e3dee112819bf5a6ca395d3447eba65f11d076

  • SSDEEP

    12288:2ZPsXk8zK2u+4rYnH12g+ohTHPU66swKpUHsTx6I+0X:CWhu6H1ZtFPU9skMTxX+0X

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

191.101.51.117:11371

191.101.51.117:10050

191.101.51.117:10051

191.101.51.117:24554

191.101.51.117:2700

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-XS1JNK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RFQ Nr. 201124559-201124569-201175771.com

    • Size

      629KB

    • MD5

      ea3570960a117b551ef4d63afb90594a

    • SHA1

      25e8d6660e6bdf88c78a484ecc49f1f5e862902d

    • SHA256

      b42f7b1685c9fa69b07eec4870ae1f573a48ad04c369e452482edbbfed654c24

    • SHA512

      822fd9ae05be68403868ce69aa9944b90d6a3285c8a17d1009cccff02ebd2bc10dc6434cb0473a3e5a5c58c849e3dee112819bf5a6ca395d3447eba65f11d076

    • SSDEEP

      12288:2ZPsXk8zK2u+4rYnH12g+ohTHPU66swKpUHsTx6I+0X:CWhu6H1ZtFPU9skMTxX+0X

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      8cf2ac271d7679b1d68eefc1ae0c5618

    • SHA1

      7cc1caaa747ee16dc894a600a4256f64fa65a9b8

    • SHA256

      6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

    • SHA512

      ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

    • SSDEEP

      192:BenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XB9IwL:B8+Qlt70Fj/lQRY/9VjjlL

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks