General

  • Target

    569___BL,INV_and_packing_list.jpg.ace

  • Size

    798KB

  • Sample

    250404-kfbemsvry6

  • MD5

    f4991469abb773c2b0da4f61f7b2a3a3

  • SHA1

    c3671f891bcf300128f60b3cc2b2db74d3a525f4

  • SHA256

    52939296475d2fc83dab2eafb9b8512a53a450e3aaf60f288e1de3cc811fb49b

  • SHA512

    10b50a93af66425d3a69f89a24aa6cee03e28254efd532d2ad6e1b703dae0bfd211492a8ce4a1243b8b1e5ca8eb2a4a7728645596e3e8c981bb0012d0538e0ff

  • SSDEEP

    24576:JUt7lKWtzkRIxZ+HALg+m3OpqtfIcxfvsVKyXLxc48a4ZXpait:aWWtzkSZPE+shaKyXNcdTQit

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.83.87.190:5817

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-E1OC2H

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Shipment Document BL,INV and packing list.jpg.exe

    • Size

      1.3MB

    • MD5

      9aa7675541b2cf73b71f5ddc6be2084b

    • SHA1

      b8af9227da8a2e6957604cb4e643370adadeae68

    • SHA256

      1fc20be3230c5de684a0c39942bfe11d80b71d540c6c42c40fb22c1c2416d2c5

    • SHA512

      040ec11512a61ecb84360dc045a5098ae7d25c0490da901e7cb510ee128585b038df6132e3e3811b66d3c4fefd618091be6b98c0a4ef5a5df4c2416a8eba6b50

    • SSDEEP

      24576:Ju6J33O0c+JY5UZ+XC0kGso6FaSZ62TTqVNrwvtK1pWp1N/az2DIjWY:ru0c++OCvkGs9FaSMoqIk1pW5c2HY

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Drops startup file

    • Executes dropped EXE

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks