General

  • Target

    03022025_1526_DHL Express_799806687.vbs.gz

  • Size

    22KB

  • Sample

    250203-svdsbawqfl

  • MD5

    c90a81384f9f260eeb5fc6ea84910c0f

  • SHA1

    b8977565aec152e14d57bbcca1ce62003e6e3f16

  • SHA256

    f49636dd1a4ff284dcecd702ba9b332e8ef2e03f064ee532669e0309f7831f6d

  • SHA512

    0189c79c50884fe5a3d4a4d1216ce7df25bc5bd7bcd513a45c78e646cd6f3f8208ae09e77815eb311653286603662128b3f3feab993de6644e1c2eb2493f5b52

  • SSDEEP

    384:BxULPMKsL3wE4u6/W9MqQYXEkf/zfOvaTMl7wO+/D4VnnbauGLOOnPBB20DArZhS:bOPvEW/yMWVWvYMlMb4Vnnb70BBfGhb2

Malware Config

Extracted

Family

remcos

Botnet

ood

C2

goody.work.gd:4173

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    vlc

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    ios

  • mouse_option

    false

  • mutex

    gig-R8G1B2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    sos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      DHL Express_799806687.vbs

    • Size

      219KB

    • MD5

      9e240e7341b1b39c9bced26bc4818619

    • SHA1

      bf5744dc9e21fc68d8825cff85518a1ce5f53858

    • SHA256

      854f0e5d062c2a2ebfa69f37b8d2c98fc27e15997a6174783b2df1a7faf07912

    • SHA512

      fa1e9669dff9e2d60f3bd606d15564217c20422608160658dfe3d5963e07f1ec95243a481ba58239eca63e5fdd7f431e659dd68ed8614225088438b44fa4e82a

    • SSDEEP

      3072:AwZVmI3b0mgfmWu+Ge9VOv6G5sVhQ30Wk+70wgA11:AwZVBe9VOv7

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks