remcos | efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1 | Triage

Submit
Reports

Overview

overview

Static

static

5051c71e2b...e4.exe

windows7-x64

5051c71e2b...e4.exe

windows10-2004-x64

Sharing

General

Target

5051c71e2b1b319a14474b47876403e4.exe
Size

2.2MB
Sample

221017-r2fd2sccej
MD5

5051c71e2b1b319a14474b47876403e4
SHA1

3684e802d6831d76da44d53cef16939916976b94
SHA256

efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
SHA512

8aaaa2ed847f452972d36854925e6043fba389f8a8852aad02c10e67d6fc2b0baac5548b48762d522cac4d8980a98170097281fc175f06ff2387c5fdb13b3636
SSDEEP

24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I

Score

10^/10

remcos xmrig 220928 miner rat upx

Static task

static1

Behavioral task

behavioral1

Sample

5051c71e2b1b319a14474b47876403e4.exe

Resource

win7-20220812-en

remcos 220928 rat

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

5051c71e2b1b319a14474b47876403e4.exe

Resource

win10v2004-20220901-en

remcos xmrig 220928 miner rat upx

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

220928

C2

minecraftrpgserver.com:80

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
software_reporter_tool.exe
copy_folder
Google
delete_file
true
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-8QM7X6
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  5051c71e2b1b319a14474b47876403e4.exe
- Size
  
  2.2MB
- MD5
  
  5051c71e2b1b319a14474b47876403e4
- SHA1
  
  3684e802d6831d76da44d53cef16939916976b94
- SHA256
  
  efd4213633c65b490245864feb69279cbdb09add9b70e22e18c183bb0f477cc1
- SHA512
  
  8aaaa2ed847f452972d36854925e6043fba389f8a8852aad02c10e67d6fc2b0baac5548b48762d522cac4d8980a98170097281fc175f06ff2387c5fdb13b3636
- SSDEEP
  
  24576:WN9ewmMdH+HY530osWnYQb6VOKs4zm2evT:I
Score

10^/10

remcos 220928 rat xmrig miner upx
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Downloads MZ/PE file
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Hidden Files and Directories

Privilege Escalation

Scheduled Task

Defense Evasion

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcos220928rat

behavioral2

remcosxmrig220928minerratupx

© 2018-2024

Terms | Privacy