remcos | 2315e9ea4b02a18e75f5c6c3f6228dd04d9fddeb27d229aa55345875a2430518 | Triage

Submit
Reports

Overview

overview

Static

static

9

配達確�...df.exe

windows7_x64

配達確�...df.exe

windows10-2004_x64

Sharing

General

Target

2315e9ea4b02a18e75f5c6c3f6228dd04d9fddeb27d229aa55345875a2430518
Size

460KB
Sample

220521-pcqsdaacbp
MD5

c97d58c8dcb5572e7231b42f91413cb9
SHA1

bddb515fa6059039ff221fbbd9089618a5fca010
SHA256

2315e9ea4b02a18e75f5c6c3f6228dd04d9fddeb27d229aa55345875a2430518
SHA512

9c12dda7e8b58c2ffee2b1e7a6868f4c97949f8405fa580068124290d7966b580536ca808a6c8ca33b9f037e3aafc2e3ad3d32668b42292f2975fab5cf20dbb8

Score

10^/10

remcos smash b coreentity rat rezer0

Static task

static1

Behavioral task

behavioral1

Sample

配達確認書 PO#8018516,pdf.exe

Resource

win7-20220414-en

remcos smash b coreentity rat rezer0

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

配達確認書 PO#8018516,pdf.exe

Resource

win10v2004-20220414-en

remcos smash b rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

SMASH B

C2

goddywin.freedynamicdns.net:5252

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-PLP378
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  配達確認書 PO#8018516,pdf.exe
- Size
  
  398KB
- MD5
  
  b12a52f0dbe23e563edd4793d001f8fd
- SHA1
  
  5c7b8ceab6ec73c6ae951b4e01426d24a421fa04
- SHA256
  
  a3b3bbce36f3c381e04a1a086d9ad58f31563d8f106bb1a6732cf2799ee645e0
- SHA512
  
  f76ec5f22602bf37e748c43a870de8762de294a6fbb861175875979ca16349f97de7b6a2fd2e6b2664d7fc16e1a485a617cce3ba8192d88f1f5cd6c9a11178aa
Score

10^/10

remcos smash b coreentity rat rezer0
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- CoreCCC Packer
  Detects CoreCCC packer used to load .NET malware.
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcossmash bcoreentityratrezer0

behavioral2

remcossmash brat

© 2018-2024

Terms | Privacy