General

  • Target

    InspectorNvidiaPro-64.rar

  • Size

    4.1MB

  • Sample

    241210-pz7dms1kaq

  • MD5

    f9cf7a5e0af0747f878d5d327d341a10

  • SHA1

    f0921b5942914ab8d323c7a13c07fea8a73bd3cb

  • SHA256

    6027eb649c27aa6c1ee848061c7733403a250a40989c4fdee84e7ffee3811cf7

  • SHA512

    0fce9497b1b8054d7a427409b256f91a9b88f93aacbea24cbac15c366866820cb134587dfc4652e3567b1a47e60f3aff736d050c9680b85cb0564752300dafbf

  • SSDEEP

    98304:diwl1HxvJStAf1p/VUUw5buDz6kH4yPEGxcXu3BDHxlCuAQV/:di21GAdp/VTCaYy5QIBFAAR

Malware Config

Extracted

Family

remcos

Botnet

5003

C2

92.255.85.63:5003

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7Z8WNB

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      InspectorNvidiaPro-64.exe

    • Size

      1.6MB

    • MD5

      912c89ac3e4ab699bd11cd2fc5da0bb2

    • SHA1

      cd1499b70f084dca31343adb170fe3f618bd5933

    • SHA256

      01f24017584c20793bdb7a066a1054b4474310ccda8ddd19a9521aa7cb0708ba

    • SHA512

      b7fcf3222e862afae298ab32ba82be3fa90b01fc04f66c3a4e6b2b9e1f6556e15be9b8f331b0f466dcd1be127d14d2fa0ad711bcea46e0485454a53642c74ccd

    • SSDEEP

      24576:j7FUDowAyrTVE3U5FEimXsOKK56BCObsE6UtoZmUd2N6xSIJQRn+KAXu:jBuZrEUzmXb0CUj1Ud2sMnNJ

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks