remcos | 38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51 | Triage

Submit
Reports

Overview

overview

Static

static

c17c0259ca...cc.exe

windows7-x64

8

c17c0259ca...cc.exe

windows10-2004-x64

Sharing

General

Target

c17c0259ca58b7412fbf9ec5a75e3ecc.exe
Size

158KB
Sample

221005-m591lsedam
MD5

c17c0259ca58b7412fbf9ec5a75e3ecc
SHA1

13d2cc140cec0774a4daeb75dbf1333cf7bdf4ac
SHA256

38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51
SHA512

e428f6355c9fa60b891091e0a629f651968651e8f641e9d7759b3e197a498c88cbc657a8821f8f7abacdf72e1624a2472fead3a0bc116d36c87713f28b9b9ebe
SSDEEP

3072:+8bupux+SWv5NbwHw66vW2cSkkqFHhDMTYD8WUyy7GeLNcXOh:/2vcSkkqXDjDy3LNUOh

Score

10^/10

remcos xmrig 220928 miner rat upx

Static task

static1

Behavioral task

behavioral1

Sample

c17c0259ca58b7412fbf9ec5a75e3ecc.exe

Resource

win7-20220812-en

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

c17c0259ca58b7412fbf9ec5a75e3ecc.exe

Resource

win10v2004-20220812-en

remcos xmrig 220928 miner rat upx

windows10-2004-x64

23 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

220928

C2

minecraftrpgserver.com:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
software_reporter_tool.exe
copy_folder
Google
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-8QM7X6
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  c17c0259ca58b7412fbf9ec5a75e3ecc.exe
- Size
  
  158KB
- MD5
  
  c17c0259ca58b7412fbf9ec5a75e3ecc
- SHA1
  
  13d2cc140cec0774a4daeb75dbf1333cf7bdf4ac
- SHA256
  
  38415959c6c2be67f3c96932dbfaa903b4d650d00b003c5b59340cb692560a51
- SHA512
  
  e428f6355c9fa60b891091e0a629f651968651e8f641e9d7759b3e197a498c88cbc657a8821f8f7abacdf72e1624a2472fead3a0bc116d36c87713f28b9b9ebe
- SSDEEP
  
  3072:+8bupux+SWv5NbwHw66vW2cSkkqFHhDMTYD8WUyy7GeLNcXOh:/2vcSkkqXDjDy3LNUOh
Score

10^/10

remcos xmrig 220928 miner rat upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

remcosxmrig220928minerratupx

© 2018-2024

Terms | Privacy