General

  • Target

    9e19fd2499e9ffb9ca4eab08d9054a86.exe

  • Size

    80.4MB

  • Sample

    241206-t2hwaawqgt

  • MD5

    9e19fd2499e9ffb9ca4eab08d9054a86

  • SHA1

    198946086afa2544e8f86463f15fa321aa45f7e0

  • SHA256

    7fedcec3a38dec8650ae2f64271b19c01372881ce83f1fe4597f85b26c4a0732

  • SHA512

    e4e9cefb633a191f9e562a1fcf4176121b31f69f1d528a3505f381584c5d6c9100982de28684307cfabac7461a173dfd6a12d5d685dffb449d60cba209053d4e

  • SSDEEP

    1572864:Vl2/ebAbW6FLl4oabh+XJhXhQiB1dJdYVkq7U4hmfixRR:VJ0bthlXOh01VJY+qw0ui3R

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.42.12.39:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    jesusapt

  • mouse_option

    false

  • mutex

    JESUSAPT-7R4T5W

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      9e19fd2499e9ffb9ca4eab08d9054a86.exe

    • Size

      80.4MB

    • MD5

      9e19fd2499e9ffb9ca4eab08d9054a86

    • SHA1

      198946086afa2544e8f86463f15fa321aa45f7e0

    • SHA256

      7fedcec3a38dec8650ae2f64271b19c01372881ce83f1fe4597f85b26c4a0732

    • SHA512

      e4e9cefb633a191f9e562a1fcf4176121b31f69f1d528a3505f381584c5d6c9100982de28684307cfabac7461a173dfd6a12d5d685dffb449d60cba209053d4e

    • SSDEEP

      1572864:Vl2/ebAbW6FLl4oabh+XJhXhQiB1dJdYVkq7U4hmfixRR:VJ0bthlXOh01VJY+qw0ui3R

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates processes with tasklist

    • Sets desktop wallpaper using registry

    • Target

      $PLUGINSDIR/SpiderBanner.dll

    • Size

      9KB

    • MD5

      17309e33b596ba3a5693b4d3e85cf8d7

    • SHA1

      7d361836cf53df42021c7f2b148aec9458818c01

    • SHA256

      996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

    • SHA512

      1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

    • SSDEEP

      192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY

    Score
    3/10
    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    • Target

      LICENSES.chromium.html

    • Size

      8.7MB

    • MD5

      6ff57c0aeccdf44c39c95dee9ecea805

    • SHA1

      c76669a1354067a1c3ddbc032e66c323286a8d43

    • SHA256

      0ba4c7b781e9f149195a23d3be0f704945f858a581871a9fedd353f12ce839ca

    • SHA512

      d6108e1d1d52aa3199ff051c7b951025dbf51c5cb18e8920304116dcef567367ed682245900fda3ad354c5d50aa5a3c4e6872570a839a3a55d3a9b7579bdfa24

    • SSDEEP

      24576:2o9dQ06p6j6j1WOwRiXjYmfy6k6mjK64jK6gjK6e6cjK6feGjl8PpE:BFOeGT

    Score
    3/10
    • Target

      NSIS.exe

    • Size

      180.1MB

    • MD5

      bd4906b9305afec35a88a3387bcb9fac

    • SHA1

      1d32e6f1c6ba770c3b2625d0241be0f2d4581b5d

    • SHA256

      a674229c90366a8300ad63c8ae675c2bc1c12307bccb00ae818dfa67c1955bf5

    • SHA512

      40966c176eaf9e025597599cb99532b3c36c3e72bcf991b95a450eb26f663b61a79933d741cce807e18c198239e3c49973189e9eb2cdbaf4b29115a6c25ff09a

    • SSDEEP

      1572864:1wl41lgY+w9QLv1JWYc6UeOtUUGQUT1jdu4BPPuuwT2GOqiB1sr7zjg7ob753oUV:rF4oD0QdG09P

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Sets desktop wallpaper using registry

    • Target

      d3dcompiler_47.dll

    • Size

      4.7MB

    • MD5

      a7b7470c347f84365ffe1b2072b4f95c

    • SHA1

      57a96f6fb326ba65b7f7016242132b3f9464c7a3

    • SHA256

      af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

    • SHA512

      83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

    • SSDEEP

      49152:hCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvdiD0N+YEzI4og/RfzHLeHTRhFRN1:oG2QCwmHjnog/pzHAo/Ayc

    Score
    1/10
    • Target

      ffmpeg.dll

    • Size

      2.8MB

    • MD5

      5a168cb3ea9d0e7400baabf60f6ab933

    • SHA1

      82a86cb7f42294ab4ad6669c19b92605d960b676

    • SHA256

      af5f1bc9f6a73750fa0c7bf17439700cfb3ab23e1393f0c9899825417e319b54

    • SHA512

      7c1441ecd049543e38297a7b6929e9f3eb978422d0ce508fbe6350ffebd297f947b8d9ec75bd2054142dcd8461eef1bf110e040d0830da977fde8944bece843d

    • SSDEEP

      49152:ZBAnytEwrZu/3Q8rvnh2UGH6qfhtvRIdefZiC6Cry2:ZBFE6kfbrvnh21K+io

    Score
    1/10
    • Target

      libEGL.dll

    • Size

      481KB

    • MD5

      39ccf402a62f068a8c573b45ea96154d

    • SHA1

      57ceb915ea6f88c7fcca35339bf951659c0338ab

    • SHA256

      8649d77ace8e5753b9a10e7ae3349aafa9d8e3406ba9c8c36a59633a84b3c41b

    • SHA512

      c4f9225c54d413176cb3dd2b26d429493fd056c7c283bc7a1c52b4a2059dbb11380daf5d847be1ff29f058ba0ef44d4bf66a3d9e9a600000dc8f6d20dfb2ed03

    • SSDEEP

      6144:0PfRujpqWG9btH+M1wLPfj9iDcHetGsHUN0dxI2H6sNkD4Fvh2W:eAWt+MWLPfjkVGbN0dxI2H63D4Bh2

    Score
    1/10
    • Target

      libGLESv2.dll

    • Size

      8.0MB

    • MD5

      f055a130c79bd517bdb53b1f8a38bd3b

    • SHA1

      9fba0ad4ba973bb285b23cc125004baf61a98b5a

    • SHA256

      45b53759392b81ce7d916b3f1cf02be30289809bd31d09fc1524ef2609183b17

    • SHA512

      d9dcb217f268862c577cacf4e9f84c63e02b647113d484338a74eb0b24fadd6d87b4e7a551dd1ef692bb38e44562bff848982acb62840d4f49f91a7751320e34

    • SSDEEP

      98304:Q7XpFwEPVsR+1HYJnahAB4tVsX43wYMg:QXVrAtsw

    Score
    1/10
    • Target

      resources/elevate.exe

    • Size

      105KB

    • MD5

      792b92c8ad13c46f27c7ced0810694df

    • SHA1

      d8d449b92de20a57df722df46435ba4553ecc802

    • SHA256

      9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37

    • SHA512

      6c247254dc18ed81213a978cce2e321d6692848c64307097d2c43432a42f4f4f6d3cf22fb92610dfa8b7b16a5f1d94e9017cf64f88f2d08e79c0fe71a9121e40

    • SSDEEP

      3072:1bLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWl:1PrwRhte1XsE1l

    Score
    3/10
    • Target

      vk_swiftshader.dll

    • Size

      5.3MB

    • MD5

      6720d5dcda6737eb0cc5a352a47414dc

    • SHA1

      03d9a8e350f485dd955f7dee06bfc46371753032

    • SHA256

      d8f36b089d83157abc271d9fe125919c3237943fa9789a511ac5ef1d41e2e3af

    • SHA512

      de5ade6ce14b14957fce669c4181af1e6a6f540798d1c6720b56ff281f813a6ce4446bde33a8f175d2484e07f4911f93a773cac1d372cbe3b26be634b3fa1686

    • SSDEEP

      49152:zBVtMrKyOsxYYAKDsJS86IxORjgUlC3K/FAz4gdm6o4oX7uh5LC6MW4LY67h772c:jWKyOEnOnoLrWbfDiN9isC

    Score
    1/10
    • Target

      vulkan-1.dll

    • Size

      874KB

    • MD5

      b6d3af84e8be0027741aa6077768789e

    • SHA1

      e525f2434dc56f79644695f5841e91dd5f80eec4

    • SHA256

      376ff6892ec7b406acd8c455ac82f8541e59e3757195488ff04cd9f20d554562

    • SHA512

      f03b8792a740679c8a1a8ce0615b7876cc811130085f3ffb42182e0cb846519603804da97fc93a8abebee01e03fd257df289c54575da8faaad018f4f4bae606a

    • SSDEEP

      24576:FhJnfYUcguY3cTAL6Z5WjDYsHy6g3P0zAk7TNb:FhVrXN3oAL6Z5WjDYsHy6g3P0zAk7T

    Score
    1/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ec0504e6b8a11d5aad43b296beeb84b2

    • SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

    • SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

    • SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

    • SSDEEP

      96:YjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNq3m+s:JbogRtJzTlNR8qD85uGgmkNr

    Score
    3/10
    • Target

      $PLUGINSDIR/nsis7z.dll

    • Size

      424KB

    • MD5

      80e44ce4895304c6a3a831310fbf8cd0

    • SHA1

      36bd49ae21c460be5753a904b4501f1abca53508

    • SHA256

      b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

    • SHA512

      c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

    • SSDEEP

      6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck

    Score
    3/10
    • Target

      $R0/Uninstall NSIS.exe

    • Size

      296KB

    • MD5

      9a606f191ba036a232b5d09aead537c4

    • SHA1

      f4bded6b73c3cb67e20cc2480c681bd67e03d29a

    • SHA256

      0898c038d2c97ec8646ab4cfd783d7c46e2ec2774375065b5c75bf3d702517fb

    • SHA512

      ed1d039b7e8a0b76872caa1edc52ffe9dcb0c697e2e249a7c52072c1dd626e48ba5fd3c16c2156af145729f2dd39836c12678e76bd78623ecba5a8982451a1b6

    • SSDEEP

      3072:Nn77v00hEoDEtauPnig6AbTXFif6lxCHaH2tvhOEA1RJCir86SrSrv6Ia3W:N740I/ig9XFifyes2t0EyL+yaG

    Score
    7/10
    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      100KB

    • MD5

      c6a6e03f77c313b267498515488c5740

    • SHA1

      3d49fc2784b9450962ed6b82b46e9c3c957d7c15

    • SHA256

      b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

    • SHA512

      9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

    • SSDEEP

      3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v

    Score
    3/10
    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    • Target

      $PLUGINSDIR/WinShell.dll

    • Size

      3KB

    • MD5

      1cc7c37b7e0c8cd8bf04b6cc283e1e56

    • SHA1

      0b9519763be6625bd5abce175dcc59c96d100d4c

    • SHA256

      9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

    • SHA512

      7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

    Score
    3/10
    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      ec0504e6b8a11d5aad43b296beeb84b2

    • SHA1

      91b5ce085130c8c7194d66b2439ec9e1c206497c

    • SHA256

      5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

    • SHA512

      3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

    • SSDEEP

      96:YjHFiKaoggCtJzTlKXb0tbo68qD853Ns7GgmkNq3m+s:JbogRtJzTlNR8qD85uGgmkNr

    Score
    3/10

MITRE ATT&CK Enterprise v15

Tasks

static1

Score
3/10

behavioral1

discovery
Score
7/10

behavioral2

remcosremotehostdiscoveryexecutionransomwarerat
Score
10/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

discovery
Score
3/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

remcosremotehostdiscoveryexecutionransomwarerat
Score
10/10

behavioral12

Score
1/10

behavioral13

Score
1/10

behavioral14

Score
1/10

behavioral15

Score
1/10

behavioral16

discovery
Score
3/10

behavioral17

discovery
Score
3/10

behavioral18

Score
1/10

behavioral19

Score
1/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
7/10

behavioral25

discovery
Score
7/10

behavioral26

discovery
Score
3/10

behavioral27

discovery
Score
3/10

behavioral28

discovery
Score
3/10

behavioral29

discovery
Score
3/10

behavioral30

discovery
Score
3/10

behavioral31

discovery
Score
3/10

behavioral32

discovery
Score
3/10