Overview

overview

10

Static

static

RFQ TRQ22-...df.exe

windows7_x64

10

RFQ TRQ22-...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    932ca48307370d1019ade8c5f9312d6f96f7d565715f48f4a4c35a045702cef2

  • Size

    230KB

  • Sample

    220521-ph3dcsaehp

  • MD5

    5ba8b1ee47b934c42ff521dc3c47da79

  • SHA1

    0a23493703fc700e6893c2348fa9bb155ab5ccee

  • SHA256

    932ca48307370d1019ade8c5f9312d6f96f7d565715f48f4a4c35a045702cef2

  • SHA512

    e0eac8e143399d1413f8e29274e35e16c49b64a00e96eeafaa822ecf00897427227ba45e194b0af4c7cff298c943d06ff5d8e3b1efa247374c3ccea54eef38be

Score
10/10
remcosxxxxxxxxxxxxrat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

xxxxxxxxxxxx

C2

109.169.89.116:2021

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    s.sex

  • keylog_flag

    false

  • keylog_folder

    ssssss

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    fuckhere-M9W1LK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      RFQ TRQ22-06-20200051_pdf.exe

    • Size

      315KB

    • MD5

      154aa4440eee43b6472416eeb938f9e8

    • SHA1

      643b61955b6743f33db01be7ecf93463fd887da1

    • SHA256

      d69aa1932b2e702e5065ee19da9fc9cf2b05e7dbaa617141b14eaa501a14955e

    • SHA512

      2a225d7128166394a26e226febd275f1ca1dead61666136008ff843b4a21eb0bf16a5b66c055a2d213d272d63c940d2cce02270475c9bb2551135a58cff77020

    Score
    10/10
    remcosxxxxxxxxxxxxrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks