General

  • Target

    newthingswithgreatupdateiongivenbestthingswithme.hta

  • Size

    143KB

  • Sample

    241216-txc48svnbt

  • MD5

    fd6fc3abb81de5133fb2de54b937ca20

  • SHA1

    241f7fa153504078a9a9b07f966f3c4e862a9545

  • SHA256

    73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644

  • SHA512

    5c37a3432112eb422e264101706a1c9e5bb7c266f064e8618b96e7e6e185800ffdf315d02f27cc23cd07e6a854bbbe19ccb5173eff885f8c808d76d6dab86516

  • SSDEEP

    768:tlEHKFlVum2oum2QB3S5KUJDVUKhC74GVf/AyK+v6Aq1Xl7zPRDIfz9esnkoFfz7:tl

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GJDISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      newthingswithgreatupdateiongivenbestthingswithme.hta

    • Size

      143KB

    • MD5

      fd6fc3abb81de5133fb2de54b937ca20

    • SHA1

      241f7fa153504078a9a9b07f966f3c4e862a9545

    • SHA256

      73d0a015a1d5a1a846d3451a8ba70964c56581b06279208cb87c6c2eea1a6644

    • SHA512

      5c37a3432112eb422e264101706a1c9e5bb7c266f064e8618b96e7e6e185800ffdf315d02f27cc23cd07e6a854bbbe19ccb5173eff885f8c808d76d6dab86516

    • SSDEEP

      768:tlEHKFlVum2oum2QB3S5KUJDVUKhC74GVf/AyK+v6Aq1Xl7zPRDIfz9esnkoFfz7:tl

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks