Overview

overview

10

Static

static

Amit Order...df.exe

windows7_x64

10

Amit Order...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1ad767a48d94965416dbcf6dd21ab63f686aeff22c1de9d10cf5ac2cebafbe40

  • Size

    87KB

  • Sample

    220521-n7s1jshhgj

  • MD5

    4531181a883d59daa3f7768d717b8b0b

  • SHA1

    4ae886adfbf0b48b2db5625369124ca06813f12e

  • SHA256

    1ad767a48d94965416dbcf6dd21ab63f686aeff22c1de9d10cf5ac2cebafbe40

  • SHA512

    2ea143e81a1ed0dd5ee8eed9798314783cfadfa094db3ad3dacd90b54a821aff44c48a9651848da887d20d74ff512cf08a59c8ca9bad05d8358114fc1f128e32

Score
10/10
remcosnkiruka2020persistencerat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

NKIRUKA2020

C2

nkiruka2020.ddns.net:7171

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-LI323K

  • screenshot_crypt

    true

  • screenshot_flag

    true

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    true

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      Amit Order598467588,pdf.exe

    • Size

      124KB

    • MD5

      b2805d0ca02a91d5d6c1deee9318a46e

    • SHA1

      ce21ab5d3430faf360376bd50d603ab81824240c

    • SHA256

      0b8d469babc7b057403a1d7ca0f781c9a675523941cfcc8bb6eae582680746c4

    • SHA512

      c7a009b44c5300f7e242388d202cbdbdeb77aa82dc190a8a8e9e5dd2b2a5718209678843d0cf481407eed02c5bbd401b34318df5816f48ed20ddf65b2b13a52d

    Score
    10/10
    remcosnkiruka2020persistencerat

    • Modifies WinLogon for persistence

      persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks