Overview

overview

10

Static

static

QUERREPDFC...03.exe

windows7_x64

10

QUERREPDFC...03.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QUERREPDFCUES54690001 QUERREPDFCUES54690003.exe

  • Size

    585KB

  • Sample

    210809-2tv4qjvglx

  • MD5

    01ab5cebf5d5f7748f7ddecca72d3b37

  • SHA1

    be313948840376877d6e5f487d5a13069a767c68

  • SHA256

    e5edfeb06aaa8e77155bdd5099a5cd9a4beaf8f840a34f88896f3be54f0cdc9c

  • SHA512

    a75599b5d8cccfc70b54d42636955522c73ca53353e358f4a63601ed5d27b3ee93cd5889ab62d59b83cca6f4cd256e7586bb88af44ef0994d48d53556d0d438e

Score
10/10
remcosturquiarat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

TURQUIA

C2

tokia7823.duckdns.org:1616

turquia111.duckdns.org:1616
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-HUKJQR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      QUERREPDFCUES54690001 QUERREPDFCUES54690003.exe

    • Size

      585KB

    • MD5

      01ab5cebf5d5f7748f7ddecca72d3b37

    • SHA1

      be313948840376877d6e5f487d5a13069a767c68

    • SHA256

      e5edfeb06aaa8e77155bdd5099a5cd9a4beaf8f840a34f88896f3be54f0cdc9c

    • SHA512

      a75599b5d8cccfc70b54d42636955522c73ca53353e358f4a63601ed5d27b3ee93cd5889ab62d59b83cca6f4cd256e7586bb88af44ef0994d48d53556d0d438e

    Score
    10/10
    remcosturquiarat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks