Overview

overview

10

Static

static

1

RO10098.docx

windows7-x64

10

RO10098.docx

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RO10098.docx

  • Size

    292KB

  • Sample

    230608-lb1z6sdf28

  • MD5

    473b3909e911de8c27ab621986c02d0e

  • SHA1

    bd0366e2416de0fa75b77414b82f31e7ede37255

  • SHA256

    5564cb2776b7336df157a5d8133543aa7a55c59550d9c8095f660e9945f4d93f

  • SHA512

    bb41b10cc26a8426beba8285488a99898cd9b4a7a7e4abe4c99bb29444b3a4af3b72238fb7e0b7dd17741931a057edc834345d0da79a738e2817579306404cd4

  • SSDEEP

    6144:yi7n5JRXQnl81RkVsBIPs5eK9U4zOu/lpW+1a5Uvk6pfo4sCy+ltOOCr0:yi75Ya1RkVTsr3OypRaOxJo4sUltOtr0

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomiana.duckdns.org:30491

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %Temp%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-EORWFM

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RO10098.docx

    • Size

      292KB

    • MD5

      473b3909e911de8c27ab621986c02d0e

    • SHA1

      bd0366e2416de0fa75b77414b82f31e7ede37255

    • SHA256

      5564cb2776b7336df157a5d8133543aa7a55c59550d9c8095f660e9945f4d93f

    • SHA512

      bb41b10cc26a8426beba8285488a99898cd9b4a7a7e4abe4c99bb29444b3a4af3b72238fb7e0b7dd17741931a057edc834345d0da79a738e2817579306404cd4

    • SSDEEP

      6144:yi7n5JRXQnl81RkVsBIPs5eK9U4zOu/lpW+1a5Uvk6pfo4sCy+ltOOCr0:yi75Ya1RkVTsr3OypRaOxJo4sUltOtr0

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Abuses OpenXML format to download file from external location

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks