General

  • Target

    a2a7ff35bd33480418bd39e0832d0875.bin

  • Size

    2.8MB

  • Sample

    241223-bzerqstnal

  • MD5

    413cd9141e50be3152948748965330db

  • SHA1

    32e51a5512339bdf1e25f5d241d169106dc46616

  • SHA256

    b42a6ccaace158cfe939c39eb9aa26cbdd36566b8faf2ddf5cf35de925d61ffd

  • SHA512

    9e7543a284d7b3d042c0442e5c2c0ed2527cd5b897145ab5166320e5e7da2fb0c2a7092b3c0fc7d92fc0c4fe35261e5beda4a95231e7c3350ad31a81dafe8a68

  • SSDEEP

    49152:aF1QcnkCBUUSxVJ3OiduaxUdmjtr5LCw/PvqynmPIDjsBYJH0KbGfZ2dI:sSYUwi1xPhpXSyzDIevbGx2dI

Malware Config

Extracted

Family

remcos

Botnet

Teddy

C2

adminitpal.com:8080

adminitpal.com:443

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    5

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    putty

  • mouse_option

    false

  • mutex

    tRvr-YKFHJK

  • screenshot_crypt

    false

  • screenshot_flag

    true

  • screenshot_folder

    Putty

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;chrome;edge;

Targets

    • Target

      46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54.msi

    • Size

      2.8MB

    • MD5

      a2a7ff35bd33480418bd39e0832d0875

    • SHA1

      8cd2ec2310b1240ffa9944631c409e658cea03a7

    • SHA256

      46004e5408d63486737753e360a3c9ef74246163497c920d1ac7aa504c488e54

    • SHA512

      20b4bcc20bdd3d40ec0d2d3f8531615c5fce78339784dd8f346e6aeccdca8307f472e59d9f246daeb1e1a4343c9d6d53f83b2deb7eb21f5b4035b2d083ad037c

    • SSDEEP

      49152:IiSoOl+YyNuCClJkqwhmsl5aBZJnxsTKHgX7Gu0ojmWS8MqIugHt:It7+YJCCvkEsloxTHZojmWhDg

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks