Overview

overview

10

Static

static

1

6e5973b1e3...1f.exe

windows7-x64

10

6e5973b1e3...1f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96640a4799fe532df64ebde0a914567c.bin

  • Size

    501KB

  • Sample

    230327-cd967abb57

  • MD5

    56821b259b9e2e4e7d63bc8b06e7f9fe

  • SHA1

    f8519e5c6106a1e92c11d62a67c7740dca54b1dd

  • SHA256

    44a755ff3e39ab7289f79d9073d7658441fa45711ae53aaeffc86c587f4285f5

  • SHA512

    dbd60dd11fe2f7f12a74b446547298e563c29a2eb410e9cd203125f0a5ec0963f1b0de7a713496ea2a03bc86b74e27a56a4a8b07aeb00e9f7f3d862e2040aa05

  • SSDEEP

    12288:164OBYX8DU52A/0i00JxKvaE8Ck8Jo5aQUId7RmY:8Y8ZD0/KvNw5aQUIdAY

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

127.0.0.1:55898

185.65.134.167:55898

10.15.0.18:55898

180.214.238.18:55898
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-41LT1T

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f.exe

    • Size

      525KB

    • MD5

      96640a4799fe532df64ebde0a914567c

    • SHA1

      5b8978b368104eb3ed79bfbb473790b9f18d4a83

    • SHA256

      6e5973b1e3a446ad7ee5e1753db6043be6a2a1b3ecfa1e5062ba1d001511491f

    • SHA512

      d827bb98f6965cb4ffe76cb45251273abf07fbaaf98e544970a87e37a58d339dd1b323211b965b07ae26e904a7d8990c375c28981c19535551ab001184a85409

    • SSDEEP

      12288:KYTTJvONxFQl3Hlhv8RWSGl9bOKMRTBI4A2Cpvb+TviXl0gpxX:KYTTxObqlVhEPOVOKMRTQVb+TKXl0gp5

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks