remcos | 6291532d8a12896b5213e468896e222ca6c112b977d53c6a0a61cd78a3ee7535[.]exe | Triage

Sharing

General

Target

6291532d8a12896b5213e468896e222ca6c112b977d53c6a0a61cd78a3ee7535.exe
Size

481KB
MD5

fb1924b4eea9623ae0fc56c8cc3df771
SHA1

fdcee0af6726a1e1d37bd6d1b12760fbb8192699
SHA256

8c6fbb740f9b6cc85b0170835464558c160ad8b3d82737a6595671f60527cad6
SHA512

d7dbd27aa8c02ca4c04a8cd87d2dcecf4b40387589cedd95f85298900ce6b067cdd0928d52035c21ff75d82918bb7750f023b2af7b693c6fc542ca1ceb365189
SSDEEP

12288:8RXxReZj3WZfj/2eSseWFaIe2+f8CL47bs/ZiW:8x7cyF2eSsewS8W47eZj

Score

10^/10

chisomaugust remcos

Malware Config

Extracted

Family

remcos

Botnet

chisomAugust

C2

exbanebiec.duckdns.org:9596

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-I8K3ZB
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Remcos family
remcos

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
6291532d8a12896b5213e468896e222ca6c112b977d53c6a0a61cd78a3ee7535.exe

Files

6291532d8a12896b5213e468896e222ca6c112b977d53c6a0a61cd78a3ee7535.exe
.exe windows:5 windows x86 arch:x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 347KB - Virtual size: 346KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 94KB - Virtual size: 94KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 23KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: 512B - Virtual size: 9B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.gfids
Size: 1024B - Virtual size: 560B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 19KB - Virtual size: 18KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 15KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ