Overview

overview

10

Static

static

swiftcopy.exe

windows7-x64

10

swiftcopy.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9920E53084316EB1FE823DD747DEDF76A8ABEB37E07D491A76C3E546F0CC865B

  • Size

    858KB

  • Sample

    221123-r2dkfsda9s

  • MD5

    5e984690c65c1d6a8c205c467c9edbb8

  • SHA1

    1c38d41e218b7ffcab06e46dadcd9d2efbf380b7

  • SHA256

    9920e53084316eb1fe823dd747dedf76a8abeb37e07d491a76c3e546f0cc865b

  • SHA512

    226b5c651c6d6f81897556e7e0bbd2677c19a244c95b514234b198dbac2402f6a24ad9daaa88b62fbafbb3654e9d55fa2ae91fd50fac5e711a9d372a50dafcec

  • SSDEEP

    12288:pt/AKBPWjxrJvGwJSUOIbQA52p9fieXuEATeZyIQFbzcU/:/bOBdGMSI/wlhuE8doC

Score
10/10
remcosworldclasspersistencerat

Malware Config

Extracted

Family

remcos

Botnet

worldclass

C2

91.193.75.188:60005

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    worldclass.exe

  • copy_folder

    worldclass

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BY6BKA

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    worldclass

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      swiftcopy.exe

    • Size

      390.0MB

    • MD5

      f101b3158db2bdfbbeb97867f6b3dd91

    • SHA1

      a726050dab999854ae32feffd9fe0e75796cec64

    • SHA256

      900f05edc300fae13b416e42a9368acf5a3956895b7c7812d209b8c56bff08ea

    • SHA512

      b1ae04125e3531a636fd7347cd22df2ca06d4d4ff42951c0b1d59923fe78034bcf5a7ec81fbbd891c454835202103ac751f617ec811eba07b9f39bb605a56779

    • SSDEEP

      12288:PKBzbrJriwnMyQlh/b9bIhjv9qXvHvHXJKSV:P+75iwMrdbKhz0/Hv/

    Score
    10/10
    remcosworldclasspersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks