Overview

overview

10

Static

static

0d8783b653...18.exe

windows7-x64

10

0d8783b653...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    33-0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618.zip

  • Size

    770KB

  • Sample

    221013-q29r8agabj

  • MD5

    1d97513f9869758456a5b907892cd094

  • SHA1

    72ccf0214d29ad7b5f6345bab66240a6646427ba

  • SHA256

    15997878094935d032953d1d73e84519c39c335c1e6711b23891f7ffcb58e08f

  • SHA512

    0d164c6e8267ca4bc1ac07edf4aa17b0b20c8f7eec7957c3447aba0337ac283f88d9e4d11e59ccb9c45709c3b2ce6e3a6ba5aecbbd1f457935b98ddcd47ac9ec

  • SSDEEP

    12288:P4yCBj1ws9+Ct4DLfxIMJeI43lhGcP2BZTNT1emejDjUL6YLW0xIbxMl8bnF:P47BGsAxoI43lhGpB1eme/sdWBd7F

Score
10/10
remcosxppersistencerat

Malware Config

Extracted

Family

remcos

Botnet

XP

C2

xpremcuz300622.ddns.net:3542

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    oos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Remcos-MMP2I7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    kkl

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618.exe

    • Size

      835KB

    • MD5

      0caf4f8bc47dc7226740d023f654e937

    • SHA1

      eea58b2403f0aaf088b272b948eeaaf6f87009cc

    • SHA256

      0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618

    • SHA512

      3cacca879960ca9b9c12fd0bdd72c81b98601c33d531fb24bb259d6c45f09f23e1f6a5a0720af5236d2239d83b62eaf315bd1b39e9ed67a73828318f1155e268

    • SSDEEP

      12288:rEVv2iNsAJ8YQNb4tQ3y/Q7AJFGWYKJH0bOt1BNvn1C0XtaPwL/UL6hDRgkADe:YF1nCNb4ucQ0JbY83nvn1C0UMg6hDRj

    Score
    10/10
    remcosxppersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks