General

  • Target

    JaffaCakes118_d80af7862cef512d90e2b4605667de680679c468b70986e2cf0d15f85e97f44d

  • Size

    8.0MB

  • Sample

    241224-m3dvdswlbl

  • MD5

    b7b7731b8b9ca6b72bd85d89fe3f32f4

  • SHA1

    4f7261fc5e6711c45de2e6999700ffb4ecd74a9f

  • SHA256

    d80af7862cef512d90e2b4605667de680679c468b70986e2cf0d15f85e97f44d

  • SHA512

    e101179579850ba3e55112ec312cbb3e45ee11199045023543ab067f7ae1afdd1f081e2a268081f8312f78b945c58ac8537729f0db46f7845890902f36a84222

  • SSDEEP

    196608:ie7SMiHHnIdvpp6Sfc0Z8rcPvYJihepxGoqOE:iPMWHypk0Z8gXCihqKH

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

giga10

C2

CEDSXoissLv2NiM.club:5762

PgqduOYXVZeNNam.xyz:5762

USd7O88wEMlUtX5.xyz:5762

pMfiryhhkiN98Px.xyz:5762

Se2Qwz60L2OxZNM.xyz:5762

GWtY0fiG58DCq6F.xyz:5762

maui16azsncpo97.info:5762

mj99puoba6c3gun.info:5762

tu90to3b4q4uqze.info:5762

cwt1u0vv8ic357ov.info:5762

agaoajz1hrvevre.info:5762

poykoqnl7jkj632.info:5762

cbiq1neygyp1wno.info:5762

BCBNcQ393Z3HPLQ.club:5762

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-UQ8E24

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      fa958470655b38f6efcfcc94d9d9c41153a840e46593a092ebf158ebc02059a0

    • Size

      8.2MB

    • MD5

      aa6e85858efca5028eadcf3a317fbbdc

    • SHA1

      3ef8bf2c75b73030105e2af6b7484f6cd6470cc7

    • SHA256

      fa958470655b38f6efcfcc94d9d9c41153a840e46593a092ebf158ebc02059a0

    • SHA512

      b8dcd361ad90b5fad9813b53f0ae8a2a9a2643f4af3ae13e2234cb8dbcb2453657c17a40c9cd1acb130e040d00b48ced01480decc1a7895bb84d9e9694cbfc23

    • SSDEEP

      196608:2NfOH6v/+gNpzr0L8bFYInjxdRRsGV5XbEBkJ58u1y5BgpljlHy:2k6LjzoLA+adRRssXgBg5p1QBSxlS

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks