General

  • Target

    24122024_1655_24122024_Quotation.gz

  • Size

    875KB

  • Sample

    241224-vfegeaskfx

  • MD5

    00b7fefa6fc125bb4753c05296e9ef76

  • SHA1

    82af869dd2774ca08e35d07d70cee1b40e70b486

  • SHA256

    bdade424b285ccc8e249a2d1a485e35429ee4b6b2e168c65dc14b21463d346fa

  • SHA512

    54f2d282b305548b5962ccd956a6a13ed0134eb204d4622baf5c3d61070876673e1c56c8f2fecd7c868bae9fa62eef7ca65f27a0e89273b6bb77fadd7dfced71

  • SSDEEP

    24576:uiVIL7TfOkBkzIp6OBdyFGdViW91ZHwOTX3vq1TgEDLfc:uGATf3BkzIpP46VRHHrTPq1TvDLfc

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

185.241.208.87:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-7DRXD9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Quotation.exe

    • Size

      940KB

    • MD5

      180ccd64c5a7543dd30077c48d20f67c

    • SHA1

      b8a68eac1ff1f76b0d0dd1ebe5f795c2a02d1929

    • SHA256

      42306b57fbe6db0e589995f0e50a28140c86715953a8d637e7ed42a59e2ebcb3

    • SHA512

      06a26968634697648ddf33dd0d25fa022b01be5bc6f64c6e8210610a1e0e21ef628cc53f8c4449579897278fd975091f46174a5ebf0b2ec057960d748f0a262a

    • SSDEEP

      24576:PkXOPSJCh5kbQ5Q+HHC/6UISfAHgwjc3b:PGRJu5CKNUISYHgwjc3

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks