Overview

overview

10

Static

static

1

TSTS 0005A.exe

windows7-x64

9

TSTS 0005A.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    264d6866d534205d35dcbbb2e5f031440f5580ae97d0eec657477f957039126a.rar

  • Size

    862KB

  • Sample

    240406-bhdhcagb9t

  • MD5

    4a55080ea22461dbfd69c2165b8b2a6a

  • SHA1

    2bfdf95aa43808a65019537d56e4d4e60320f387

  • SHA256

    264d6866d534205d35dcbbb2e5f031440f5580ae97d0eec657477f957039126a

  • SHA512

    0e2f2bff9c856197cd3b1e90096f9d2c75a798aedbeb14f847bc9bea30b352ebe0667a280bf84cde84edfe9a969ea08ed0983c821801a0a7eb12d862da55ee33

  • SSDEEP

    12288:X4ynNHf0BgAYUpjKwQD2Ha7VL8UmLXl8sJnmAaugU93axXdZXQZgTtzqI:X1nxIY+jPa7VYUmLCsJn5auB9atrXQMj

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    notess

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Rmc-P0AEMX

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      TSTS 0005A.bat

    • Size

      922KB

    • MD5

      b195643d6d8c3f81c7409533ad14726c

    • SHA1

      c09b56928fb1f448ed9b3610a0b930f77e2ebcfe

    • SHA256

      f4eaa74eb268a58cff6f5d37607758bd49cc00af060da799857ae10cfd59efb2

    • SHA512

      b843153f581be5a77b8575cf09e25333d5eaf5af3b689441ad0af336c4494a6181d5882dfa8b2ba2d90acb64cd3db9ab26f1cf87e1991f996d26cbb6990c5fb8

    • SSDEEP

      24576:JgjHr6DLW5Gaxs00MUVXdtS6seDmw+Op8lCua51:WrpDxclG65mg8lCuo

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

    • Detects executables packed with SmartAssembly

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks