Overview

overview

10

Static

static

1

f4eaa74eb2...b2.exe

windows7-x64

10

f4eaa74eb2...b2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

  • Size

    922KB

  • Sample

    240406-b8dk2ahd75

  • MD5

    b195643d6d8c3f81c7409533ad14726c

  • SHA1

    c09b56928fb1f448ed9b3610a0b930f77e2ebcfe

  • SHA256

    f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2

  • SHA512

    b843153f581be5a77b8575cf09e25333d5eaf5af3b689441ad0af336c4494a6181d5882dfa8b2ba2d90acb64cd3db9ab26f1cf87e1991f996d26cbb6990c5fb8

  • SSDEEP

    24576:JgjHr6DLW5Gaxs00MUVXdtS6seDmw+Op8lCua51:WrpDxclG65mg8lCuo

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    notess

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-P0AEMX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2.exe

    • Size

      922KB

    • MD5

      b195643d6d8c3f81c7409533ad14726c

    • SHA1

      c09b56928fb1f448ed9b3610a0b930f77e2ebcfe

    • SHA256

      f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2

    • SHA512

      b843153f581be5a77b8575cf09e25333d5eaf5af3b689441ad0af336c4494a6181d5882dfa8b2ba2d90acb64cd3db9ab26f1cf87e1991f996d26cbb6990c5fb8

    • SSDEEP

      24576:JgjHr6DLW5Gaxs00MUVXdtS6seDmw+Op8lCua51:WrpDxclG65mg8lCuo

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks