General

  • Target

    46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi

  • Size

    2.8MB

  • Sample

    241222-cnvjgsyqgw

  • MD5

    a2a7ff35bd33480418bd39e0832d0875

  • SHA1

    8cd2ec2310b1240ffa9944631c409e658cea03a7

  • SHA256

    46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

  • SHA512

    20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c

  • SSDEEP

    49152:IiSoOl+YyNuCClJkqwhmsl5aBZJnxsTKHgX7Gu0ojmWS8MqIugHt:It7+YJCCvkEsloxTHZojmWhDg

Malware Config

Extracted

Family

remcos

Botnet

Teddy

C2

adminitpal.com:8080

adminitpal.com:443

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    5

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    putty

  • mouse_option

    false

  • mutex

    tRvr-YKFHJK

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Putty

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;chrome;edge;

Targets

    • Target

      46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi

    • Size

      2.8MB

    • MD5

      a2a7ff35bd33480418bd39e0832d0875

    • SHA1

      8cd2ec2310b1240ffa9944631c409e658cea03a7

    • SHA256

      46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

    • SHA512

      20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c

    • SSDEEP

      49152:IiSoOl+YyNuCClJkqwhmsl5aBZJnxsTKHgX7Gu0ojmWS8MqIugHt:It7+YJCCvkEsloxTHZojmWhDg

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks