Overview

overview

10

Static

static

1

PROOF_OF.EXE.exe

windows7-x64

10

PROOF_OF.EXE.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PROOF_OF.EXE.exe

  • Size

    1.1MB

  • Sample

    230327-js9brscd55

  • MD5

    1b757184307094f4f4d1caefe3ee80d3

  • SHA1

    fd19f622093c77c00879a3b2bce2171f1b5445bc

  • SHA256

    36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453

  • SHA512

    453b76346c793581633a6c1b3dbef18c37c5db8835a4c8760647c0350879738baa4cc769aeee01cad5c8e30f83fa48ccb370b3fab9b9aff06c96b9df668b0ff3

  • SSDEEP

    24576:MA5Ix0j/0Yw6gDYm+T1Nk/iEYaEr/pa7qvjSUJD:V5Q0gGg8XxNk/i8Ej42SUp

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.193.30.230:3348

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-4LKZRP

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PROOF_OF.EXE.exe

    • Size

      1.1MB

    • MD5

      1b757184307094f4f4d1caefe3ee80d3

    • SHA1

      fd19f622093c77c00879a3b2bce2171f1b5445bc

    • SHA256

      36006e43513ee6ca1f60cf3a18b55d0cf42dcf095f166ab71314902d472a0453

    • SHA512

      453b76346c793581633a6c1b3dbef18c37c5db8835a4c8760647c0350879738baa4cc769aeee01cad5c8e30f83fa48ccb370b3fab9b9aff06c96b9df668b0ff3

    • SSDEEP

      24576:MA5Ix0j/0Yw6gDYm+T1Nk/iEYaEr/pa7qvjSUJD:V5Q0gGg8XxNk/i8Ej42SUp

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks