Overview

overview

10

Static

static

1

Best price...ry.exe

windows7-x64

10

Best price...ry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Best price inquiry.rar

  • Size

    742KB

  • Sample

    230327-snf9vsga9y

  • MD5

    dab70075ceb702aa47a63e91a248d154

  • SHA1

    97e606d7a8c8a30b199902eb0c1d390b5743f552

  • SHA256

    ef52872464a8c0cac5d8a40077c607cdebdc496f7aeae799b80b993128f233d8

  • SHA512

    aad8099f202226f76f0f890b18567fabbc93fb61550ea0f6fa4a75d9753defad0e6500ea9b2674e5b05800f4427ec1b8574c28f9c288bdf9bb83836bf500747f

  • SSDEEP

    12288:j60g5FXTGJ9IiPvk9URyULyNE9laVZEjbw/hPqkPK9BIQ8IoviDmK5Vd8KE9:xg5lSLIiK0794Vu0ha9BZ8Io2mG8KE9

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

darren2023.sytes.net:2115

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    scs.exe

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-3YNKQ0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Best price inquiry.exe

    • Size

      768KB

    • MD5

      b5d80c839eed720a63fbc6cd47a80a9e

    • SHA1

      ef4bf7a44f3f7da17798ad1be32055e359ecd90b

    • SHA256

      643d6f1a9a24b68a77de03bbe2ccf63751c072976b14607bb224eda31887f2de

    • SHA512

      5355d606140ad0c10d8db7bea8fe1b4a8468947fdc2605f05520ccd931f8aa1c5eb9dc0420b2efa376a9311c85c2cd12431d24a9965bd018e29f48d455fdf46d

    • SSDEEP

      24576:aMwf+m50w/dByz9z+NTUv91fZ5ZM1P3A6YlBE5Gw9:aMwf0w/dsYqjfrW93AXbEN9

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks