Overview

overview

10

Static

static

3

24a17dfa6c...94.exe

windows7-x64

10

24a17dfa6c...94.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    24a17dfa6c17e07ff12f2dd08739a194

  • Size

    313KB

  • Sample

    231225-rkcxlagbbr

  • MD5

    24a17dfa6c17e07ff12f2dd08739a194

  • SHA1

    2acd94e41b368f931ab24ccb9966e7256e2cb1ab

  • SHA256

    091fc32e3abe826b4ff3f1c387eda3bdd68ccc2a047ae83dcb4d232f196a7349

  • SHA512

    ba1d37612c2fe42f54639ca76abf325fa7571ac319183285707ad380b9b39b0f48007b902808b0ce616013652e9f5ea375ec33430c6af4fd4d32400ccbb5aada

  • SSDEEP

    3072:BWUElmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z3WKvLMgNdAWcmgZbJSH:SogNJHWeuKwv4U6L7NrT

Score
10/10
remcosremotehostevasionratrezer0trojan

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

RemoteHost

C2

experience247.ddns.net:1965

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-56Z5SR

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      24a17dfa6c17e07ff12f2dd08739a194

    • Size

      313KB

    • MD5

      24a17dfa6c17e07ff12f2dd08739a194

    • SHA1

      2acd94e41b368f931ab24ccb9966e7256e2cb1ab

    • SHA256

      091fc32e3abe826b4ff3f1c387eda3bdd68ccc2a047ae83dcb4d232f196a7349

    • SHA512

      ba1d37612c2fe42f54639ca76abf325fa7571ac319183285707ad380b9b39b0f48007b902808b0ce616013652e9f5ea375ec33430c6af4fd4d32400ccbb5aada

    • SSDEEP

      3072:BWUElmXkJr4Dul8kZyLA93qlUD2mvwV6bFcHSRoodGv8Z3WKvLMgNdAWcmgZbJSH:SogNJHWeuKwv4U6L7NrT

    Score
    10/10
    remcosremotehostevasionratrezer0trojan

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Uses the VBS compiler for execution

    • Windows security modification

      evasiontrojan

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks