General

  • Target

    1.gz

  • Size

    893KB

  • Sample

    241223-lb9mbaxqgy

  • MD5

    3da758f3dd63c65268d64ce6bae7ee05

  • SHA1

    710685e020757f550dbf7fc684545da5fe97a7b7

  • SHA256

    b4d1b79459e02f66fae43fa71b6422be611fc7595306875ad87eddaa0e07ac5c

  • SHA512

    db6d8cb0f368b021905edcdb5d6d199991eebb79ec148f4443a4ff136d7c65c30372974e142986c7c91b37c1da2b8daf25f755e7e1b9ca96a3ba7b9da6f8a0fc

  • SSDEEP

    24576:oejs9tVi+BU7popGKxwl+kEbWPEdo/Or8DRt:oEyOQsophxy+kgU3oARt

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.241.208.87:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7DRXD9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Quotation.exe

    • Size

      1.0MB

    • MD5

      67b86e9595c2d0d2f44454ec239fda56

    • SHA1

      1a44600a7b4e010174d99c152dc20fef1d84061a

    • SHA256

      905eb3c354f4f1210442b25983482a2612d6354df9c3d26beb9a0bdaf1e9ac04

    • SHA512

      73fb542c826f8e75683e7944f0f616d2317d17c5cc153610e7d2107c6da7458da00c89e797aa4f59c92d92095dcf884ef9474cf7ac5dcc4bf526aa8389486604

    • SSDEEP

      24576:BHAXaxESQklIlQcZrVs+3FvrVOuHvKYKrVFmdGp7N1/TBt:BgAlFUrv3FjwuPKYaGK/t

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks