Overview

overview

10

Static

static

5

daff6ed760...86.exe

windows7-x64

1

daff6ed760...86.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4b5a014828c47f207836df686e57f820.bin

  • Size

    992KB

  • Sample

    240110-bwkhtabcbm

  • MD5

    adb978ff925af53d9ccd48964db0e2d5

  • SHA1

    6c21566882b3c887928c909fd793207a48bb7d6f

  • SHA256

    98c52dff353fe1cee968e529c0a7582f42e7db0ded2d2f45a035bd22d3a806c6

  • SHA512

    aad7020d37e825ae7ea404e84c16d1ca10ffa6b49bfff6e1c67920e278208d163d667465010059f26065fbb2598e42d434d5d004aac41b927587d408e5b13c9d

  • SSDEEP

    12288:yhoYOCKdoKnxofBaznaNnLlqhJA8lvcOu2gr9VLmoDHfYFilxe4uBbkPsffswKaR:wKdoNGaNnhky8epjQaxe4uom0wz2M

Score
10/10
remcospcpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

PC

C2

107.175.229.139:8087

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-X5MJYU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      daff6ed76092cbee2ba195c52fe0d91888910706a5a43629973dc5aa19cccf86.exe

    • Size

      1.5MB

    • MD5

      4b5a014828c47f207836df686e57f820

    • SHA1

      9d4c80d719a4c1c7f2b12659c80c70c926aaefb6

    • SHA256

      daff6ed76092cbee2ba195c52fe0d91888910706a5a43629973dc5aa19cccf86

    • SHA512

      794c6603684b84ea99f11b483a8ee60cb36cf16bd77842ae401c97663e6b398ac868abf9195e454dcfb9f2aa8ce4e54e3849c82dbe0ed7ea4836991c961da358

    • SSDEEP

      49152:ATvC/MTQYxsWR7aYoZ2J4TApMnJLrQ1r:ojTQYxsWRMi4T+MJYt

    Score
    10/10
    remcospcpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks