General

  • Target

    JaffaCakes118_1fd70a9f7528d1c0a77ecbf6de91062d878be3022103efb59159f487f0322643

  • Size

    11.2MB

  • Sample

    241224-rkcltsyrbv

  • MD5

    45d7a3762ef548a5c942fd2449340640

  • SHA1

    e1ee95ebe3161d30050e6d2b6d1958773c3d21c3

  • SHA256

    1fd70a9f7528d1c0a77ecbf6de91062d878be3022103efb59159f487f0322643

  • SHA512

    44b8e2c3bb900faa4c0fc1a2f0d5d1d83d0398fc3986d324b95ad95fef5b1106424ae6ffbb11882948c882e7f3c105d3bd868a974d894884a7a96d1cfa3ce04c

  • SSDEEP

    196608:0x+qYpUN2OXQ0z08+MSM6+dmlCtUCAqv+ZSdAzjBFrXB+msKfHo2l3:i+qN2EtzCn+dqlCAqabrRD3/D

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GN07

C2

g8m3cyido670ly5.club:2404

zykk5es6go3izsb.club:2404

j3wb76496fukmhj.ru:2404

6aj7sx0v4x0o7z8.ru:2404

yg9twivamv6sw0n.ru:2404

nxghej4nnhx4j8u.ru:2404

u4wqbjlplzi5hdx.ru:2404

xzpnhfvNlSjjchr.club:2404

LPBaFlDPvNSq11I.club:2404

ewgxBUwkuncJO90.club:2404

BCBNcQ393Z3HPLQ.club:2404

CEDSXoissLv2NiM.club:2404

PgqduOYXVZeNNam.xyz:2404

USd7O88wEMlUtX5.xyz:2404

pMfiryhhkiN98Px.xyz:2404

Se2Qwz60L2OxZNM.xyz:2404

GWtY0fiG58DCq6F.xyz:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    alocal

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-7NX4GS

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      d8cddc980098b654c3ac1c3b259063b1d23dd602c880a343987b278e0149a0ff

    • Size

      11.6MB

    • MD5

      36ddc59c81a64a958522afe36db514eb

    • SHA1

      38a91b48f008c1f373a497958b99b55759c31e8e

    • SHA256

      d8cddc980098b654c3ac1c3b259063b1d23dd602c880a343987b278e0149a0ff

    • SHA512

      30fbfdf2a72cb6dc32e3474183f7568612bf9073636b8f46c4dacc7159dcfaaaeae9b7f14099bdce127e1e4c6e76ceda95b4299d97908ebd47d43ca3de67fbe8

    • SSDEEP

      196608:66d/muCW+Mwsdu3Z/pSyahZZNIb/rlDn7lPAUMmEzCLzBHelLat1jNX+usduHS9+:9/LmsdutoPhZZNM/pn7eUM0Lznt1pOh9

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Drops startup file

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks