Overview

overview

10

Static

static

1

My2021-22-...DF.vbs

windows7-x64

7

My2021-22-...DF.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    My2021-22-W2-1040-1099-R.PDF.vbs

  • Size

    2.0MB

  • Sample

    230322-w7b12ace5t

  • MD5

    679125286a8552fc36b9cbb2fafae268

  • SHA1

    4b2e7be52f7219389b367df7feb608351adfb270

  • SHA256

    0bda29c1168f11ab1a4f920dfdbe41708ef9766aa498ec78a32bd03e58c8419a

  • SHA512

    18e6638993bb796776752fc558b04d662731f6d8594d186ce6af77451ab9b83cec815df323d122894c58b6a9721e173b6f11593ca0ea5f797153adf58bcdf6be

  • SSDEEP

    24576:+8o61WnM8/07gQVyPXo7lCI+aSf7Wf0us3AtxqPZyDy3vgJxhgW:eswPXoBAx+4ALfN

Score
10/10
hawkeyeremcosremotehostkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

193.142.146.203:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4SUXAY

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      My2021-22-W2-1040-1099-R.PDF.vbs

    • Size

      2.0MB

    • MD5

      679125286a8552fc36b9cbb2fafae268

    • SHA1

      4b2e7be52f7219389b367df7feb608351adfb270

    • SHA256

      0bda29c1168f11ab1a4f920dfdbe41708ef9766aa498ec78a32bd03e58c8419a

    • SHA512

      18e6638993bb796776752fc558b04d662731f6d8594d186ce6af77451ab9b83cec815df323d122894c58b6a9721e173b6f11593ca0ea5f797153adf58bcdf6be

    • SSDEEP

      24576:+8o61WnM8/07gQVyPXo7lCI+aSf7Wf0us3AtxqPZyDy3vgJxhgW:eswPXoBAx+4ALfN

    Score
    10/10
    hawkeyeremcosremotehostkeyloggerratspywarestealertrojan

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

      keyloggertrojanstealerspywarehawkeye

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks