Overview

overview

10

Static

static

10

448166ffa5...f6.exe

windows7_x64

10

448166ffa5...f6.exe

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    448166ffa55d2d5fbf0cfaefb21826f6.exe.vir.7z

  • Size

    39.0MB

  • Sample

    220204-lwchbaggb9

  • MD5

    b79e8795d4534358777fefa828bcbc34

  • SHA1

    cf6763f665a7904b767741341237ae42dbfc2e27

  • SHA256

    fa059ce2f6d88b5904965f6958d3ae4c6159bd788fb24debf2e463055ef77a1b

  • SHA512

    5b5255ff2294eb214a63e27b4a47644e242f91a1f931fe3f6f9b67fe90c746bf9bf5b2aa301ae588974b268646da885750e2e7071864c82ced56a971595de25f

Score
10/10
babadedaremcossys32crypterloaderpersistencerat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

Sys32

C2

157.90.1.54:4783

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    Logs

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Sys-PVUZ63

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      448166ffa55d2d5fbf0cfaefb21826f6.exe.vir

    • Size

      118.6MB

    • MD5

      448166ffa55d2d5fbf0cfaefb21826f6

    • SHA1

      e946af3ab6614f0b20515a3fa8b5a73210e8932d

    • SHA256

      a69ac6cbe1ce50215d3f6df173f38bb3f9de174d32c87afbb7146662214b570b

    • SHA512

      d9147720d3e691091c8a376776429eee992ab7a1b656109b091892483200b71606242dff085ca705807f081703ac7d182150f631a657c6a2d568b67b9bb32d55

    Score
    10/10
    babadedaremcossys32crypterloaderpersistencerat

    • Babadeda

      Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.

      loadercrypterbabadeda

    • Babadeda Crypter

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks