General

  • Target

    e8f7e74c1dcc5b41ab270db144dc219ba8e6ad986299a7fd82ce458ea7930caa.exe

  • Size

    1.4MB

  • Sample

    241219-jl2cksvrbt

  • MD5

    0b4484f89131f3ab8cf9a4a89d7884c7

  • SHA1

    d20746a8b2954a3a3831de201ffc88213b99dd11

  • SHA256

    e8f7e74c1dcc5b41ab270db144dc219ba8e6ad986299a7fd82ce458ea7930caa

  • SHA512

    5549dfa9acf2eb16c40026ed03bb40e6d128f74cdc54646ace01b3df7d321412f3f6a9c4ce551f090889711b34e01d80aedee7fae01a665b0b99e79058878f03

  • SSDEEP

    24576:1D39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJOW:1F+QrFUBgq25eKwW

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      e8f7e74c1dcc5b41ab270db144dc219ba8e6ad986299a7fd82ce458ea7930caa.exe

    • Size

      1.4MB

    • MD5

      0b4484f89131f3ab8cf9a4a89d7884c7

    • SHA1

      d20746a8b2954a3a3831de201ffc88213b99dd11

    • SHA256

      e8f7e74c1dcc5b41ab270db144dc219ba8e6ad986299a7fd82ce458ea7930caa

    • SHA512

      5549dfa9acf2eb16c40026ed03bb40e6d128f74cdc54646ace01b3df7d321412f3f6a9c4ce551f090889711b34e01d80aedee7fae01a665b0b99e79058878f03

    • SSDEEP

      24576:1D39dlfGQrFUspugRNJI2DJnUw9W/j+BeKJOW:1F+QrFUBgq25eKwW

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.