Overview

overview

10

Static

static

Ordonnance...06.exe

windows7_x64

10

Ordonnance...06.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Ordonnance PL-PB39-210706.iso

  • Size

    752KB

  • Sample

    210805-wrj52q611x

  • MD5

    ec01be6b5d41439b517192b134706041

  • SHA1

    c21d12c458df1bba2d06ad8457f401a15a09a70b

  • SHA256

    fbb4338620c1c11fb419cee3b8138f608cdb852b57a61cfedcec23764325a5aa

  • SHA512

    fe807de85749b84858607c07b3d4e62350bcca9dd6e9f83de7b516fd4c867c29d5b0ea16daf92dad762a4a8176a275c1f60b2230f21b59792a368791c82b5fc2

Score
10/10
modiloaderremcosgobalpersistencerattrojan

Malware Config

Extracted

Family

remcos

Botnet

Gobal

C2

june248.ddns.net:3759

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-4U30G5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      Ordonnance PL-PB39-210706.exe

    • Size

      690KB

    • MD5

      387c0e39f24944d264ee4cf0734d42b7

    • SHA1

      80f391534e5732b1bdd4b89531aca686d33b7362

    • SHA256

      d1f9a0b2a40e1a34cd4e5a1a756749a6f5180886153b9c1c9593e455540a41c1

    • SHA512

      6d9b15b43f3adca503703f45d5249fe2cf6d832c62e383fd3271ead6173347eb398dcd141d8df57076a2dcdbc5b26999e3de4800e923bfd957db6badb3a8da92

    Score
    10/10
    remcosgobalpersistenceratmodiloadertrojan

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks