Overview

overview

10

Static

static

Mbijsjhkhg.exe

windows7-x64

10

Mbijsjhkhg.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    E653166179ACC22876DDD925CE87CCA3B0172F8278ED084F22F766F057595F37

  • Size

    2.1MB

  • Sample

    221123-r19w9sab22

  • MD5

    6b5bed3d04c050a15f0591a3740f2bc6

  • SHA1

    010b0b313500a4a85ffe288a467605ef3556f2fa

  • SHA256

    e653166179acc22876ddd925ce87cca3b0172f8278ed084f22f766f057595f37

  • SHA512

    d660f21e8e14141fd35a5b90f0ddd8a769a6cf0b48921b34d69551c7966e7e7c8ca4a9e0870747971f43be3ebd71b6b95c97563f054f65213913578a46f14544

  • SSDEEP

    49152:Yvf38Lkwg6Nzs/rK57ZrYIKbarJl03eFwDHhsVTmvmxU0ySKz:4f3Skz6Nl3rcbarJ0eyls4y1K

Score
10/10
remcosgodswillingpersistencerat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

GODSWILLING

C2

185.206.225.59:28027

127.0.0.1:28027

10.25.197.156:28027
Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-IMAS3P

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      Mbijsjhkhg.exe

    • Size

      2.1MB

    • MD5

      c97b3b35d80c4de9c962f0ef0548e10b

    • SHA1

      d7c22a26e890a4e9389cd813db24594827c4abdc

    • SHA256

      f7ae4fb26c7e49ea1ef647606aefa29ecbf18618759ef24ecef23a5ad88e28af

    • SHA512

      af30768fe4b4d15066650804bc8ae245d69fedc68730f15000104e197febca1e0b5ad4812df87429a37a2f242fff7dcd57fd82859a17afddcfcbc60006ae789f

    • SSDEEP

      49152:6vf38Lkwg6Nzs/rK57ZrYIKbarJl03eFwDHhsVTmvmxU0ySKz:Gf3Skz6Nl3rcbarJ0eyls4y1K

    Score
    10/10
    remcosgodswillingpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks