Overview

overview

10

Static

static

01cf32ac5a...00.exe

windows7-x64

3

01cf32ac5a...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e6153eb6f539856101a0873f5951509c.bin

  • Size

    998KB

  • Sample

    230117-jxsjtacf62

  • MD5

    9bba72581042777d8ddec154d1e12319

  • SHA1

    ea7ae96ddfc6965117067065cacb1e5bb01c2ff0

  • SHA256

    4490d9df38c6a27ffd1eab7cc014d42edef0cd86bb17a39669031cb7df158b25

  • SHA512

    88e53ccba92c55885365795819f3c75dd712b400df1b16b3916201cbe599c6fbd1b22fa2b2c501b56139c7b15e6a873c9c520064ec920804e7a3a5d8f911af12

  • SSDEEP

    24576:b6ktdkRwbZwh4VLCy9sGyjL9IL7Fx+YjCu3zPLsAgn7x28a62MuhVmPj:b6udVo4VWjxILvzjJPLsA+O5Mnr

Score
10/10
remcospowerpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Power

C2

powerstationinfinite.online:2022

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logins.dat

  • keylog_flag

    false

  • keylog_folder

    WinPow

  • mouse_option

    false

  • mutex

    RmcsPower-SYFR8B

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      01cf32ac5af5d24b1925fad42673faa53d97d65310d04a1414a8ddd8eee11600.exe

    • Size

      2.2MB

    • MD5

      e6153eb6f539856101a0873f5951509c

    • SHA1

      25d9c8d80348cca37fdbebb6e18ac6542671214e

    • SHA256

      01cf32ac5af5d24b1925fad42673faa53d97d65310d04a1414a8ddd8eee11600

    • SHA512

      c9ff6102e077ddae4d4297dad966ae60f54e8a4aafba9b2da7a39b5b8fe7753ace7c5aafe5b3ef32c140ab2658aa12fd8bbdfc0cef4d8e2618ff15dc138b249a

    • SSDEEP

      24576:JLE3NdWH/dU3jObhCYXzj8f9GmOg9dfV1LH76COB9FhSlc:BE3mWWhOVfOCcFhSl

    Score
    10/10
    remcospowerpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks