Overview

overview

10

Static

static

ugovor/ugovor1.exe

windows7_x64

10

Resubmissions

27-01-2022 12:43

220127-pyc4eadbh4 10

27-01-2022 12:41

220127-pw1fxscgan 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ugovor.tar.lz

  • Size

    1.1MB

  • Sample

    220127-pyc4eadbh4

  • MD5

    f45bc5ebca90d5b846add5508d9d2588

  • SHA1

    7728026610649cb18d09345f095b4c55104f0268

  • SHA256

    cd701ef9d2fb89df898775c866bdf31f2d54fb645c0d595a211ec665cc5f78c1

  • SHA512

    d933b581ad94e78a34089c2e934334b9921f393bc0f126e9b99a83b58259ce2f28b19d8cbd9cea991f4f9c27f00934c319a6acbab57cfa61cf07dc86302ee969

Score
10/10
remcoswaya2022rat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

Waya2022

C2

gbotowaya.linkpc.net:2461

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    winslogs.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    winlogs-XNLI5V

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      ugovor/ugovor1.exe

    • Size

      756KB

    • MD5

      ef4572602e374290517375a638f8da4e

    • SHA1

      02dfde4f74f1ee79f0919b3a7a5af7eabfc46d7d

    • SHA256

      cbe06661237fcde35e90002ee4496b03edcc7c2b94f7dd28b551779fdb13493b

    • SHA512

      5206d7b4a398366a086b86e7f2c328a33b29e84e54291e017aeeef2e4c123f29a5fd15da0ec61467df5d3f5f56f6f6a83d040948e3614a433f64dccb5eccf5d0

    Score
    10/10
    remcoswaya2022rat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks