Overview

overview

10

Static

static

1

HR13.exe

windows7-x64

10

HR13.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    E2827807D8E056C645EBBB2CD10D32E8F3EE371494E2CBE4E56D56E94846F804

  • Size

    1.2MB

  • Sample

    221213-2rs79sgg77

  • MD5

    9ce28f7b9302ecc41c61ec9b2872f6e9

  • SHA1

    1aaea0f20bd56da3226ff00e342cad7ff8bf9873

  • SHA256

    e2827807d8e056c645ebbb2cd10d32e8f3ee371494e2cbe4e56d56e94846f804

  • SHA512

    ed1e5592d40f5a2947579e00f28d85fc781e9bc896333e237024b37feda1ad3ec303d111d9a6e26d14006e802c2b56056dcaab815c9fc43f45122256a256813d

  • SSDEEP

    12288:wAqJCwkCNDLOTC+PpCbDAY/XOo0KsBFz294T+4o:7qJC3aOTC+PpCQjogC94T+

Score
10/10
remcosawapersistencerat

Malware Config

Extracted

Family

remcos

Botnet

awa

C2

gdyhjjdhbvxgsfe.gotdns.ch:2718

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-J6C5A7

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      HR13.EXE

    • Size

      540KB

    • MD5

      09c8a4ec0abd5727a322511a1eb3c853

    • SHA1

      e0b7508f08e39e1cd2585ae8d7693f430a6a60c4

    • SHA256

      24ad92f2caa93cca887c6a2f81dc32a08d3f7e01f1e5939f519a9beb2b4db50f

    • SHA512

      ec91771ca6ccf7e8c0f7a0ce307558b6fc70bb4dbc73d82aa656fe1c92c71da28a9d0561f01f01b344e4ab9d9c42c93b0c7c847d14003a85c49f12de4d2650da

    • SSDEEP

      12288:WAqJCwkCNDLOTC+PpCbDAY/XOo0KsBFz294T+4oj:JqJC3aOTC+PpCQjogC94T+v

    Score
    10/10
    remcosawapersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks