General

  • Target

    cbb302b30ee9eeaede1bca45603d3363e42d2d3302574467186eff6fd5349310N.exe

  • Size

    959KB

  • Sample

    241220-csjmsaxlhl

  • MD5

    ec320d17514670ae8d4a19b226572d60

  • SHA1

    5c3eadd977f46dcc4b3c7dbd3513b4f22970354d

  • SHA256

    cbb302b30ee9eeaede1bca45603d3363e42d2d3302574467186eff6fd5349310

  • SHA512

    383f07b53d26bb166e1f059159a632e60f8604e8765314663f606f0cb5e4b1893c82ed9dccdcfb1431cf034dc95c959fda354740408639c52306a8e4a28e6ed5

  • SSDEEP

    12288:bfeDOa9r5j5XqkJD0QrOod7XxlW91RRep+rgRNyA55IxJ2DJn0p51:SD39dlfGQrFUspugRNJI2DJn0pf

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

remcos

Botnet

Host

C2

213.183.58.19:4000

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    read.dat

  • keylog_flag

    false

  • keylog_folder

    CastC

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_sccafsoidz

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      cbb302b30ee9eeaede1bca45603d3363e42d2d3302574467186eff6fd5349310N.exe

    • Size

      959KB

    • MD5

      ec320d17514670ae8d4a19b226572d60

    • SHA1

      5c3eadd977f46dcc4b3c7dbd3513b4f22970354d

    • SHA256

      cbb302b30ee9eeaede1bca45603d3363e42d2d3302574467186eff6fd5349310

    • SHA512

      383f07b53d26bb166e1f059159a632e60f8604e8765314663f606f0cb5e4b1893c82ed9dccdcfb1431cf034dc95c959fda354740408639c52306a8e4a28e6ed5

    • SSDEEP

      12288:bfeDOa9r5j5XqkJD0QrOod7XxlW91RRep+rgRNyA55IxJ2DJn0p51:SD39dlfGQrFUspugRNJI2DJn0pf

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.