Overview

overview

10

Static

static

PO93-DOC89...df.exe

windows7_x64

10

PO93-DOC89...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b371d002c5cdc04dc83f47d413a17103d6325b13c945ff090952aa743b6e9205

  • Size

    160KB

  • Sample

    220521-xh3m5abgf9

  • MD5

    42e0fe24cb392a0dc23c0232959bad30

  • SHA1

    815e71accb773c61654a6939532f46fe0c65fc80

  • SHA256

    b371d002c5cdc04dc83f47d413a17103d6325b13c945ff090952aa743b6e9205

  • SHA512

    0007083d70a1a25bd02a37ff225a2e50aacdff4599fe983b3dc52abc641a3786d405852fa51a6b75c736e0c819a56272aa51e8ac2c8c56344c29ea8093a77b37

Score
10/10
remcosxxxxxxxxxxxxevasionrat

Malware Config

Extracted

Family

remcos

Version

2.5.1 Pro

Botnet

xxxxxxxxxxxx

C2

109.169.89.116:2021

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    s.sex

  • keylog_flag

    false

  • keylog_folder

    ssssss

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    fuckhere-M9W1LK

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      PO93-DOC89345833_pdf.exe

    • Size

      241KB

    • MD5

      d44fd12c4a59244c15415cc69d9107b2

    • SHA1

      6a656dd83746eab439e5945c262f96b3cdce15ec

    • SHA256

      1f116c8f89973d9a9641d0dfd79af6c83c36ea2bf80a7cde67c18613402a1936

    • SHA512

      a8fffbf3fab2e479a20f544dc35f9c560793d6936a1a975a3aba68153c3d958b3963d5c87053b763de28a41d3cf04cbdb78e085001fa148234cc87f7d092253e

    Score
    10/10
    remcosxxxxxxxxxxxxevasionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks