Overview

overview

10

Static

static

attack.ps1

windows7-x64

10

attack.ps1

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    attack.ps1.ps1

  • Size

    4KB

  • Sample

    221005-j26bgadhfq

  • MD5

    176f540c8e71f960c63b239859ec05d2

  • SHA1

    c517eed5e7a5609f90933840094e78db12a4c68f

  • SHA256

    9986a5a295dcbcf5ca4b5c70f8f7a160316d20c7073956ad4ac636506b14bf18

  • SHA512

    726d248fd0f86487fe4b392b79ef0b7ef636cd9442d2bd8cebafb68520076153f07e4bb4318e155f1df36458dec570769af4f3817ecec8428d381e3753285cb4

  • SSDEEP

    96:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbbfLThzZZTXP7CKx:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbh

Score
10/10
remcostampabayrat

Malware Config

Extracted

Family

remcos

Botnet

tampabay

C2

zelthin.dvrlists.com:6268

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-MOJ319

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      attack.ps1.ps1

    • Size

      4KB

    • MD5

      176f540c8e71f960c63b239859ec05d2

    • SHA1

      c517eed5e7a5609f90933840094e78db12a4c68f

    • SHA256

      9986a5a295dcbcf5ca4b5c70f8f7a160316d20c7073956ad4ac636506b14bf18

    • SHA512

      726d248fd0f86487fe4b392b79ef0b7ef636cd9442d2bd8cebafb68520076153f07e4bb4318e155f1df36458dec570769af4f3817ecec8428d381e3753285cb4

    • SSDEEP

      96:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbbfLThzZZTXP7CKx:w8vjRjNL3nxnBHbHXdb/p3FPPtLfhTbh

    Score
    10/10
    remcostampabayrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks