Overview

overview

10

Static

static

MTB1056 Proforma.exe

windows7_x64

1

MTB1056 Proforma.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MTB1056 Proforma.lzh

  • Size

    298KB

  • Sample

    211005-qbl88sabem

  • MD5

    435da9c8758341a39aca24bf69d9e3ac

  • SHA1

    3ab8b91e74ac2588742a969823922903982bcdd6

  • SHA256

    5adbc7c03db65599504380ed34ab2336f767d062dd4cf2445c2bc0c25af7abb3

  • SHA512

    ebf95c9532c7d8b743242b5f4c08a323b4f28764a87ec1857577425cecee5a66351f6fa106207761429259363440b12a33721f99c4a64688e601913eeedbcd5e

Score
10/10
remcospandapersistencerat

Malware Config

Extracted

Family

remcos

Version

3.1.4 Pro

Botnet

PANDA

C2

emedoo.ddns.net:35890

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Vlc

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-3LQVLY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      MTB1056 Proforma.exe

    • Size

      811KB

    • MD5

      c050088cde2c6e479d294c4eda274c78

    • SHA1

      ae1451a744a05d4984c4064275fa7366cdfb3d07

    • SHA256

      662eecce48bec8dc6ebb8dc123713a3dfb97dc2514ddb3396d88cf855267f2bb

    • SHA512

      a3bab9e01625a9f3a766f51e4397362464ba94c150bb3a47bbd8bc91a912b17979bb3906700a89cb2d39093f9d363cbd86dfb3ab2ab91b7c35d8ff59450d7726

    Score
    10/10
    remcospandapersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks