Overview

overview

10

Static

static

ShippingDocs.exe

windows7_x64

3

ShippingDocs.exe

windows10_x64

10

Resubmissions

09-10-2021 11:54

211009-n3dp3afccm 10

07-10-2021 14:54

211007-r9wq1acef7 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ShippingDocs.exe

  • Size

    55KB

  • Sample

    211007-r9wq1acef7

  • MD5

    a3e458f7e2e1f940b0c62042afe607d3

  • SHA1

    6fb0a031365530ebb273f47f034181a530e31b70

  • SHA256

    1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028

  • SHA512

    9d27b5a6e1086b315bb71cccca1f64e718d1815adbccde1a3483e1404ec3d5d8a6eddc90de373e362543a8db69bf5118e36fef6c8b4cc82d40a4f771b44766e8

Score
10/10
remcosremusd31kmicrosoftpersistencephishingrat

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

remUSD31k

C2

yedaibi.com:8760

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    zoom-FKG2PK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      ShippingDocs.exe

    • Size

      55KB

    • MD5

      a3e458f7e2e1f940b0c62042afe607d3

    • SHA1

      6fb0a031365530ebb273f47f034181a530e31b70

    • SHA256

      1730338ca0fbfe0985bed5638fc8599a6dd38761ab8b89e3d8a076947a320028

    • SHA512

      9d27b5a6e1086b315bb71cccca1f64e718d1815adbccde1a3483e1404ec3d5d8a6eddc90de373e362543a8db69bf5118e36fef6c8b4cc82d40a4f771b44766e8

    Score
    10/10
    remcosremusd31kmicrosoftpersistencephishingrat

    • Modifies WinLogon for persistence

      persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detected potential entity reuse from brand microsoft.

      phishingmicrosoft

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks