Overview

overview

10

Static

static

TNT Origin...DF.exe

windows7-x64

10

TNT Origin...DF.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    TNT Original Documents PDF.ace

  • Size

    820KB

  • Sample

    221223-lz3hxabd91

  • MD5

    780c5ffe5a04423b7eb4fe5aa6ef5a6d

  • SHA1

    afa2e5b89f13ee1adf1c727bc2f0e2ac2d8950da

  • SHA256

    2a06259a25603d43bc2e4102b4baaebf963e7d482ef4b937c3b024df672caee5

  • SHA512

    82ba88aa1021431a21d4908fca8a210a299888e9f083dae689c6827dc45a6fcc716c0d882b0a995b230645be37c495388bf69a7af29b81189b484c363aa3409f

  • SSDEEP

    24576:C6OSRi+ckYNUCl/NKupavrS/+vxz50cFtXvrFgPGJ:CFShKlKupA+mvxF0otfRgPs

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-CMFPLR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      TNT Original Documents PDF.exe

    • Size

      1.1MB

    • MD5

      c47d4637cd7e5d05235b8d1d27d781e1

    • SHA1

      db7c0312d11064e31c9f9eb8b0672aad3dc45545

    • SHA256

      df5e690e3853c11de2a42d9a958ed8ca923c704b3ccf320c3c6c154377b3bd38

    • SHA512

      8f4bd819c5688a48c93e5ab5d783563a634d5a108e94a7e83009cf29d6884db7d0f54e7b56686cd5796f6ec4940b05490b2e9ae39fc49fe94ba95a26a70c9bfe

    • SSDEEP

      24576:oEFdELpCybniAU64H80Hpl1CdJyS41oe4VIG8pAsvwG3ZUi0OqXugfhS:VFdELpCybniAU6epl4XyS1ei8pvwuZUB

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks