Overview

overview

10

Static

static

ENQUIRY 20222511.exe

windows7-x64

10

ENQUIRY 20222511.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    204s
  • max time network
    221s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ENQUIRY 20222511.exe

  • Size

    969KB

  • MD5

    c276da9fb72e85e8ded5a8ae567d118f

  • SHA1

    c8506923cb55e41f514ad2573ef3d32fc68e3a54

  • SHA256

    8e2730f5984afe0586003190249b7c9e5c51a3ef2ba0c2194db5dcd21242c20b

  • SHA512

    78fb550e3c815cb1214b2f67622444770d50c4e6764d55a900588ece4e3d586d61761982c0d9eb5a2ea157aed92c7fe5e992691781a6ee8b7c00310f718114e4

  • SSDEEP

    12288:ycejSCW48Poy5s1yqroLh2RCWZ8Lltwb4/fpYP2zf0Q+iWNq4Wc7QBrg8KnJmZJl:xlCWDoInS/xuwE/BYQsil4W4fJ

Score
10/10
remcosnew rem stubrat

Malware Config

Extracted

Family

remcos

Botnet

NEW REM STUB

C2

valvesco.duckdns.org:5050

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-48V73L

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ENQUIRY 20222511.exe
    "C:\Users\Admin\AppData\Local\Temp\ENQUIRY 20222511.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\ENQUIRY 20222511.exe
      "C:\Users\Admin\AppData\Local\Temp\ENQUIRY 20222511.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      PID:1948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1888-132-0x0000000000990000-0x0000000000A88000-memory.dmp
    Filesize

    992KB

    Download
  • memory/1888-133-0x0000000005A80000-0x0000000006024000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1888-134-0x0000000005400000-0x0000000005492000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1888-135-0x00000000055C0000-0x00000000055CA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1888-136-0x0000000008E20000-0x0000000008EBC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1948-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-138-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1948-139-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1948-140-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1948-141-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download
  • memory/1948-142-0x0000000000400000-0x000000000047F000-memory.dmp
    Filesize

    508KB

    Download