Overview

overview

10

Static

static

1

52062e748f...f3.exe

windows7-x64

10

52062e748f...f3.exe

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3.zip

  • Size

    1.1MB

  • Sample

    230321-yys93ach88

  • MD5

    4ecb4c96205aaa884a97bf771fe1ea87

  • SHA1

    1929bb508be91e02451c56432b19ea3b9f73d182

  • SHA256

    b8a0e1dc065423f52263ecb405c933e85920a34098214b94720c69b2792dd8c8

  • SHA512

    5e6ac8d3f13e7b6b5ec80ff9d4a5039f1df5d51cc583e40d5761235bd0e0bdb67d967350f93c321f987a57e8e446c22a833561bbf4aa4884e66cbbe866668568

  • SSDEEP

    24576:5TL7bEmR5SP9gwuCCDkrVWyxHfqMaFQrEb6WwIsrytZsr:5TL7I4Y9puVeVVxHyvFkEbTwLrEsr

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

79.134.225.23:1097

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-UY1HFR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3.exe

    • Size

      1.2MB

    • MD5

      718851e3f679d37e670918ffd078961a

    • SHA1

      9c10c66b026582d97290c470b551d262e86d42a3

    • SHA256

      52062e748f2857bf6bc3161cdfade85ec042d45093673514ca1787f7216a70f3

    • SHA512

      f47bb5b1955b0dc1d7e161a1a0b82cdefa909fc10f55346f468333867e4bce35e669e33b1a716abc9b10dd8b012f952b79677ec7049234f845693310f17f06b0

    • SSDEEP

      24576:r1QV+zUQjIdnYfnj349Nt+krzbholb28DMx//CN/k3BRfBZ+:rmszUB4nb63n+lb/DynCN/k3BlB

    Score
    10/10
    remcosremotehostratpersistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks