General

  • Target

    Rokadernes.vbs

  • Size

    71KB

  • Sample

    241223-geya8swphw

  • MD5

    693321a98dce16a4369d750bac3c4fb0

  • SHA1

    cadf2497394e79cfd3c02a4f5bbb1adb6503d29c

  • SHA256

    d719392462e09d59474cafa8d7b107d4e3063a664a51e87c5e2b750cf100be69

  • SHA512

    8e97a99d8c64243fb6a348703d5bde412e599064162fc44be9f07cc28c78fff28720cce03df253c8537dd370abbaad0748fa02f2b828a64b54c6504d4eeaf1c5

  • SSDEEP

    1536:mYzMve/RmHTWUZnz7FcfIJVd00cYiEzYfOEt2b4:mYiepmzWqz5tJ300bz9Et2b4

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

87.120.120.51:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-6US4Y7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Rokadernes.vbs

    • Size

      71KB

    • MD5

      693321a98dce16a4369d750bac3c4fb0

    • SHA1

      cadf2497394e79cfd3c02a4f5bbb1adb6503d29c

    • SHA256

      d719392462e09d59474cafa8d7b107d4e3063a664a51e87c5e2b750cf100be69

    • SHA512

      8e97a99d8c64243fb6a348703d5bde412e599064162fc44be9f07cc28c78fff28720cce03df253c8537dd370abbaad0748fa02f2b828a64b54c6504d4eeaf1c5

    • SSDEEP

      1536:mYzMve/RmHTWUZnz7FcfIJVd00cYiEzYfOEt2b4:mYiepmzWqz5tJ300bz9Et2b4

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks