Overview

overview

10

Static

static

10

bTQu.exe

windows7-x64

10

bTQu.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29/02/2024, 09:07

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    bTQu.exe

  • Size

    233KB

  • MD5

    e8f66cc84d8cf1bb42d8fb8b88b7e5d4

  • SHA1

    2a241b028f4e3b2a9ac938315ee3db2f3267fbc3

  • SHA256

    d6c4e74a2a9ccdbe06290419c73185b032757f9d595b42029e8c245406a5731e

  • SHA512

    dd1a20c18f2c3b6372ffb37d3290d324b401f6ad897ffacb1c703b0b28f202f2afd6283117def76c5f96c075b5057c23efe7b50be7a16101a33895b81abe6188

  • SSDEEP

    6144:5mvl3n8iOiB4RBucKa3h80tK2gBWvADGGw6j1:IvlX8i8RB5JvADGGnj

Score
10/10
remcosremotehostratupx

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

payday27.duckdns.org:4546

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-MQ397Z

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bTQu.exe
    "C:\Users\Admin\AppData\Local\Temp\bTQu.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2908

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\remcos\logs.dat
          Filesize

          144B

          MD5

          0e24b69272ae9044fcd395ce6aa573d5

          SHA1

          59e195a48b166a163c50249a9902d890f3931a9e

          SHA256

          6728b5b9758a3cea69ab149a2ccce58ab3e3cfc19a6e1f2f2795d00f44be0ff7

          SHA512

          37fa83c3e9532393f613405591973d2c90cbe7bdccb878f370078030215c52bbc0795c4eca147fae2cab038d9c619839689489202dd66dea07ae261b09341450

          Download Submit

        • memory/2908-22-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-31-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-4-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-10-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-13-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-16-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-7-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-25-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-19-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-28-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-0-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-33-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-37-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-40-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/2908-43-0x0000000000400000-0x000000000048A000-memory.dmp

          Filesize

          552KB

          Download