General

  • Target

    3695d3c82f5a869499526d8007ed33a39b319fd8e24da099cc9effc16a9da358

  • Size

    7KB

  • Sample

    241210-cz7yyswjfl

  • MD5

    6576b2dd464a0fb58d33714f27be0718

  • SHA1

    388b1edf2b654c10db11de15332f2e820d7c209d

  • SHA256

    3695d3c82f5a869499526d8007ed33a39b319fd8e24da099cc9effc16a9da358

  • SHA512

    e66f4a87fff64f7a563e8de8e46895018b73e5b53c3954ffe88e325abf2ab5dc5a7d5c6074e481542c2a5245a2bf6507932ce31a11aedcda3737174ebbfd6b0c

  • SSDEEP

    192:LrQwQ4Occ81ZO7EcPoNk3+/QQ069gkGolQ7xXv:gH4OcB1MEcg+3tQ0693Q75v

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

154.216.17.190:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3W6OXK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Payment_Advice.vbs

    • Size

      13KB

    • MD5

      ce76fce7bb9efe32690687720945a588

    • SHA1

      3973db2472d805fa2d63909b039d099e7ad719ca

    • SHA256

      aa45711675046342a10174fe5e6de73d12a9ad917d993b85c9fa0dea64f30ed8

    • SHA512

      0aec07127e40478eb2217b5e23331422d201b428e00ee9f42f59e5790f696edac680067188348827048cff4d959f342aa0b889b2d57ca9d2fdae9500483f1ca1

    • SSDEEP

      384:gq5TlOXg09fdy5iHz3sPQ3uROvIWdZrVspv7x:gK5OXV9FMiT82uRiI+Zu3

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Detected Nirsoft tools

      Free utilities often used by attackers which can steal passwords, product keys, etc.

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Accesses Microsoft Outlook accounts

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks