Overview

overview

10

Static

static

REQUEST_.exe

windows7-x64

10

REQUEST_.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Request_For_Quote(1).img.iso

  • Size

    1.4MB

  • Sample

    221101-xfr4lsecb9

  • MD5

    801abea04a6326aceee2c50fa574aa1b

  • SHA1

    e4c5c3739e2d694ab685d2ce822f90c8b59579ae

  • SHA256

    c15faefe36124624292ccddfb64d743c3f7bb1cab2788d09edd0b496af9c8512

  • SHA512

    dd1694424aaa2b7899c4b1587b88475c8fb7516b9dac4fdfc8294e324cd4912d19bf55cde286da22b681fd6259ea8956ee60531fa82cc1d62f1526d2730f0616

  • SSDEEP

    12288:GEVv2iNsAJ8YQNb4tQ3y/Q7AJFGWYKJH0bOt1BNvn1C0XtaPwL/UL6hDRgkADe:lF1nCNb4ucQ0JbY83nvn1C0UMg6hDRj

Score
10/10
remcosxppersistencerat

Malware Config

Extracted

Family

remcos

Botnet

XP

C2

xpremcuz300622.ddns.net:3542

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    oos.exe

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Remcos-MMP2I7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    kkl

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      REQUEST_.EXE

    • Size

      835KB

    • MD5

      0caf4f8bc47dc7226740d023f654e937

    • SHA1

      eea58b2403f0aaf088b272b948eeaaf6f87009cc

    • SHA256

      0d8783b653d2a02641f6b7684378b57a5cc6e1cf72521c0a0f378b1c6e74e618

    • SHA512

      3cacca879960ca9b9c12fd0bdd72c81b98601c33d531fb24bb259d6c45f09f23e1f6a5a0720af5236d2239d83b62eaf315bd1b39e9ed67a73828318f1155e268

    • SSDEEP

      12288:rEVv2iNsAJ8YQNb4tQ3y/Q7AJFGWYKJH0bOt1BNvn1C0XtaPwL/UL6hDRgkADe:YF1nCNb4ucQ0JbY83nvn1C0UMg6hDRj

    Score
    10/10
    remcosxppersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks