Overview

overview

10

Static

static

CITAPDFRES...07.exe

windows7_x64

10

CITAPDFRES...07.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CITAPDFRES743960001 CITAPDFRES743960007.exe

  • Size

    589KB

  • Sample

    220125-z17e5sfch8

  • MD5

    80d706aa41da2983dc3b80782e22dfaa

  • SHA1

    0e6f43dbceae22222d09f5d7848aa4f24ee42c44

  • SHA256

    2161a41e36c0bb939dc0203f9e1ada84addcef0e2f31905fad860e16c7603c88

  • SHA512

    a8ece67856b180449d16ce98d7c627a1f02a854b6fff2bd03aa72e0119d1d64f3f68f0d4bcd345ff1248c534c9478cce808046230312d30fea09aa3897d80c04

Score
10/10
remcos9rat

Malware Config

Extracted

Family

remcos

Version

2.7.0 Pro

Botnet

9

C2

pruebanue97382.duckdns.org:1718

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-B5WISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      CITAPDFRES743960001 CITAPDFRES743960007.exe

    • Size

      589KB

    • MD5

      80d706aa41da2983dc3b80782e22dfaa

    • SHA1

      0e6f43dbceae22222d09f5d7848aa4f24ee42c44

    • SHA256

      2161a41e36c0bb939dc0203f9e1ada84addcef0e2f31905fad860e16c7603c88

    • SHA512

      a8ece67856b180449d16ce98d7c627a1f02a854b6fff2bd03aa72e0119d1d64f3f68f0d4bcd345ff1248c534c9478cce808046230312d30fea09aa3897d80c04

    Score
    10/10
    remcos9rat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks