General

  • Target

    scan.exe

  • Size

    478KB

  • Sample

    250703-f3blpsvls8

  • MD5

    7992d2226b6ea81048194220e1964055

  • SHA1

    1ebf3c3f9f250c155fcacdee5c53f50cd62c0e79

  • SHA256

    4ec2a7c94a31f3101ae972c48ba05fdf1894ac1282ca1638a61abea20c79502d

  • SHA512

    415bd91d5cbc311850d375f7d531657ffd6ce578aa0fc4d30d831052451d63fa4a06d6acbca13438509d5cee725431fd602a4bb2e428995576da7cad42a02ce3

  • SSDEEP

    12288:T0aXXXXXkXXXXXXXXXXXkXaXXXXXXXXXXXXX9RC8WVFsoZwJ1EzQwQ/LX+xYqsp2:TxXXXXXkXXXXXXXXXXXkXaXXXXXXXXX4

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.172.232.94:2404

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-RCP7JD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      scan.exe

    • Size

      478KB

    • MD5

      7992d2226b6ea81048194220e1964055

    • SHA1

      1ebf3c3f9f250c155fcacdee5c53f50cd62c0e79

    • SHA256

      4ec2a7c94a31f3101ae972c48ba05fdf1894ac1282ca1638a61abea20c79502d

    • SHA512

      415bd91d5cbc311850d375f7d531657ffd6ce578aa0fc4d30d831052451d63fa4a06d6acbca13438509d5cee725431fd602a4bb2e428995576da7cad42a02ce3

    • SSDEEP

      12288:T0aXXXXXkXXXXXXXXXXXkXaXXXXXXXXXXXXX9RC8WVFsoZwJ1EzQwQ/LX+xYqsp2:TxXXXXXkXXXXXXXXXXXkXaXXXXXXXXX4

    • Guloader family

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

    • Remcos family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      75ed96254fbf894e42058062b4b4f0d1

    • SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

    • SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    • SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    • SSDEEP

      192:X24sihno0bW+l97H4GB7QDs91kMtwtobTr4u+QHbazMNHT7dmNIEr:m8vJl97JeoxtN/r3z7YV

    Score
    3/10

MITRE ATT&CK Enterprise v16

Tasks