Overview

overview

10

Static

static

1

PDF-099993...LS.exe

windows7-x64

10

PDF-099993...LS.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.tar

  • Size

    1.2MB

  • Sample

    230323-1hta8scc7s

  • MD5

    ca5cc907fa719d1b16bb9cd3870dff1b

  • SHA1

    ad70bbee108cddae13f9763c793a67a6d6671781

  • SHA256

    821c137ee343264e8c8c30161091cd61d63069371e4f6cb2c7131ed930426b5e

  • SHA512

    b33c09dea3529019d1188c416811f4ec34328c5eeca84907af817bfdb06d4b7ca1e057e578f79d636250383399b00bbdf552b61767c58126145ddb633ff73298

  • SSDEEP

    24576:YKXdBsLfg/rhl+D2h3tGia/vE1zEgk9OgPQJOLRpOfvwFq9B20HrLY0o0cw:YKmfg/rhUD2h3kC1AfFPKOLcvwcD2097

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

marlonloperalora09.con-ip.com:1995

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-L3LNUT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PDF-09999384652983598652983758 ORDEN DE COMPRA Y FACTURACION AGUA PH PLS.exe

    • Size

      1023.9MB

    • MD5

      9d702008371d20fdd562bcda16e5980c

    • SHA1

      2cdd65d525020bb353d7e53d8a1ee61263985849

    • SHA256

      c53c37ade6c06b4813220a9e776b0b45e45e6eeffd2a09f6b633eef45868abdd

    • SHA512

      ebdcc4d65fd92b5ff773f77ca689b8aa4e0d0366211b432a85ca0db652000ba9d4a215b99173ab884f8a8b35c1ac5182c48ef2a91ab908915b3ad06a5c0abf90

    • SSDEEP

      12288:Of0zcQzKT8oQo2p2vS0gALQN58cPD8f6r0OU2yJI0FSJr1rziqLcyFxfp:OqKQN/p2vSNycPgs0OU2yJpFSTWexh

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks