remcos | 093d5cf870867a18a04b1ff17a71b398f38663446ef9cda68e34120b28d46f43 | Triage

Submit
Reports

Overview

overview

Static

static

efd4213633...c1.exe

windows7-x64

efd4213633...c1.exe

windows10-2004-x64

Sharing

General

Target

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
Size

864KB
Sample

221017-djwresaee7
MD5

603b68f2852bb9a2020347b6117591d6
SHA1

f02104ecb7ff20f226aa4959bd0300287ef9695c
SHA256

093d5cf870867a18a04b1ff17a71b398f38663446ef9cda68e34120b28d46f43
SHA512

2a0317c2a652a1fc5adc0f9261cb9155d8354c0ae7895015b01546dff901895b3c590c829402b37fad18322aa0cc88f46d81249f264bf3335b6a5f577d84a930
SSDEEP

24576:n39RL4+mBmlPDeBXqLKj6uy4PeZ4UmWDyA:3b42PDeBWLIeZ45WH

Score

10^/10

remcos xmrig 220928 miner rat upx

Static task

static1

Behavioral task

behavioral1

Sample

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe

Resource

win7-20220901-en

remcos 220928 rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1.exe

Resource

win10v2004-20220812-en

remcos xmrig 220928 miner rat upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

220928

C2

minecraftrpgserver.com:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
software_reporter_tool.exe
copy_folder
Google
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-8QM7X6
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
- Size
  
  2.2MB
- MD5
  
  5051c71e2b1b319a14474b47876403e4
- SHA1
  
  3684e802d6831d76da44d53cef16939916976b94
- SHA256
  
  efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
- SHA512
  
  8aaaa2ed847f452972d36854925e6043fba389f8a8852aad02c10e67d6fc2b0baac5548b48762d522cac4d8980a98170097281fc175f06ff2387c5fdb13b3636
- SSDEEP
  
  24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I
Score

10^/10

remcos 220928 rat xmrig miner upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Hidden Files and Directories

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcos220928rat

behavioral2

remcosxmrig220928minerratupx

© 2018-2024

Terms | Privacy