Overview

overview

10

Static

static

DHL_119040...df.exe

windows7_x64

10

DHL_119040...df.exe

windows10_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DHL_119040 receipt document,pdf.exe

  • Size

    686KB

  • Sample

    211022-j29znacbhr

  • MD5

    052f9ca00b96e53de2d50745b56322f9

  • SHA1

    e50a85146587f30aea48e9ec5ca7044d2e997728

  • SHA256

    e7de0f165f8c5b38c60cf57edf5277ce09ea31bf46aa31f1b6bdc011a5e248e3

  • SHA512

    52d8c137b966571a623b12770e91a9044e6b71e0af6f54188bf6833950e68e41301afcf74f754c186ae6249ca1ffa6da21554566a7782652b74b1c191d67d594

Score
10/10
remcosasedeygopersistenceratsuricata

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

ASEDEYGO

C2

ckay4real.hopto.org:7676

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-1X6NRY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      DHL_119040 receipt document,pdf.exe

    • Size

      686KB

    • MD5

      052f9ca00b96e53de2d50745b56322f9

    • SHA1

      e50a85146587f30aea48e9ec5ca7044d2e997728

    • SHA256

      e7de0f165f8c5b38c60cf57edf5277ce09ea31bf46aa31f1b6bdc011a5e248e3

    • SHA512

      52d8c137b966571a623b12770e91a9044e6b71e0af6f54188bf6833950e68e41301afcf74f754c186ae6249ca1ffa6da21554566a7782652b74b1c191d67d594

    Score
    10/10
    remcosasedeygopersistenceratsuricata

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • suricata: ET MALWARE Remocs 3.x Unencrypted Checkin

      suricata: ET MALWARE Remocs 3.x Unencrypted Checkin

      suricata

    • suricata: ET MALWARE Remocs 3.x Unencrypted Server Response

      suricata: ET MALWARE Remocs 3.x Unencrypted Server Response

      suricata

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks