Overview

overview

10

Static

static

FED Gov Ap...es.exe

windows7-x64

10

FED Gov Ap...es.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2022 05:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FED Gov Approved Certificates.exe

  • Size

    250.0MB

  • MD5

    c50de3d7b0351f474c2901f2106f54da

  • SHA1

    4a6e1118a0c0b702f2086a2721f389f89a50fd21

  • SHA256

    6870257b5f12bce7d4256553ca5b350abb40016e196284a20662e09b4171bad2

  • SHA512

    a0cab8850f84bfb6f54fda319b401b68740480555fd55266165b70d3ee114a1e740d5d8df52a1dfff10fddc7e00e489072d24aa08b357ac282532715ab600e69

  • SSDEEP

    12288:2lWVinRO/caHHRuXVg6gP0za7PuxZVTTS/VWsLjDv6:6WV24HReVg6g2a6xZV6/djDv6

Score
10/10
remcosmanuprat

Malware Config

Extracted

Family

remcos

Botnet

manup

C2

91.193.75.188:60005

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    universalupdaetfeeds.exe

  • copy_folder

    universalupdaetfeeds

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    universalupdaetfeeds

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    universalupdaetfeeds-13BJX3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    universalupdaetfeeds

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FED Gov Approved Certificates.exe
    "C:\Users\Admin\AppData\Local\Temp\FED Gov Approved Certificates.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\FED Gov Approved Certificates.exe
      "C:\Users\Admin\AppData\Local\Temp\FED Gov Approved Certificates.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1148-134-0x0000000000000000-mapping.dmp
    Download
  • memory/1148-135-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1148-136-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1148-137-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1148-138-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1148-139-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1352-132-0x0000000000240000-0x00000000002D2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1352-133-0x0000000005140000-0x00000000056E4000-memory.dmp
    Filesize

    5.6MB

    Download