remcos | unknown_unpacked[.]exe | Triage

Sharing

Copy URL Twitter E-mail

General

Target

unknown_unpacked.exe
Size

100KB
MD5

5c149f14d2f9ee277f3387b15a1ee143
SHA1

e380449921f9c70e2eb592ae8036fb6016fd7c43
SHA256

d48887b4f93897c107481f936d69c50596bc6c289c7e160999aad9dab7391129
SHA512

a4f2c7f5340317e905b8739a1524015127ded924949a2994122bad9f3dc47da6dfd0026f9a2ade016438c6f411f78216bb27619cc8b535db850ab61999e21a9f
SSDEEP

3072:3s7bVK/5D/boVCbgsc1ooOTRXIqxFs2FbgXNDq50qEH6r:87bVK/Vo8mzOTRXIqxJFMXNDq50qEHi

Score

10^/10

host remcos

Malware Config

Extracted

Family

remcos

Version

1.7.3 Pro

Botnet

Host

C2

remcos2.legacyrealestateadvisors.net:30042

remcos.legacyrealestateadvisors.net:30041

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
AudioHD.exe
copy_folder
AudioHD
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%ProgramFiles%
keylog_crypt
false
keylog_file
Drivers.dat
keylog_flag
false
keylog_folder
AudioHD
keylog_path
%ProgramFiles%
mouse_option
false
mutex
KJSBIuibidbiwee-ZJFN94
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
AudioHD
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos family
remcos

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unknown_unpacked.exe

Files

unknown_unpacked.exe
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 64KB - Virtual size: 62KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 20KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 4KB - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 8KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ