Overview

overview

10

Static

static

10

CONFIRMACI...DF.exe

windows7_x64

10

CONFIRMACI...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    842865b9125bc84672070b327eba99d3f8f74436c804acb0d1cae5cb838824b9

  • Size

    432KB

  • Sample

    220521-n6erjaefh2

  • MD5

    5ae9bd486b6955f5126984b9a5793511

  • SHA1

    b7381de170e67397bc642129ddae505f58017780

  • SHA256

    842865b9125bc84672070b327eba99d3f8f74436c804acb0d1cae5cb838824b9

  • SHA512

    e58a93669c2453edc5d9ea3ae0a1e062a96ca2bf187cc2b8109fc87d88c2f860b79b0b9755914cff5c0db497da927264bed0f59077a90acf7a235ce24fef6427

Score
10/10
remcossnakebotgracedcoreentityratrezer0snakebot

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

GRACED

C2

thankyoulord.ddns.net:5050

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-0S5XD9

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      CONFIRMACION DEL PEDIDO CVE6535,PDF.exe

    • Size

      372KB

    • MD5

      a962399ee6a55b52ad2432702a800597

    • SHA1

      2ae09b6b627b86bb4a6e2e7b2d33fdc6f8e1579f

    • SHA256

      329886b8af71b45a41f94d0d9a69761b6b6fe80d36b7f7a6201fd97dc33234d5

    • SHA512

      7914d464cbba0de5392a19d9bd986be7246fca19d15cad5303cf81f1a9dd56cbf94729bd5d1f7f2b2b3e0cb545bb689cc6114b8ee08a8c508c4f8d1eeb86b8a6

    Score
    10/10
    remcossnakebotgracedcoreentityratrezer0snakebot

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

      coreentity

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • SnakeBOT

      SnakeBOT is a heavily obfuscated .NET downloader.

      snakebot

    • Contains SnakeBOT related strings

      snakebot

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks