Overview

overview

10

Static

static

3

e-Payment ...19.exe

windows7-x64

10

e-Payment ...19.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e-Payment Challan. R5364_08334_46915919.rar.pellet

  • Size

    514KB

  • Sample

    240410-ht7nwsae2x

  • MD5

    7e0c48a1dd23b3cc679796b066b634ea

  • SHA1

    fed7172a16410ec0dc2e2b40136ecc19fc991cb6

  • SHA256

    8c2ea9871e74e6666be7e36d50993391239f372868bb38e698b20f6c3e2fafcf

  • SHA512

    8818200c8c763c853dc9c61372aa4424649647e969fcd8c5e81436f1bce334c8b2367e7d525524f8ee040f6a07c4e77718488e78184f630be8ca70c0775304bb

  • SSDEEP

    12288:xNLgAJPj3mR9CIoR3FbV9bV7cQRLaGtbbE2pqf7sdA3roWnSw:LLlxjYCbvppD2N7sdA3ME7

Score
10/10
remcosggrat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

gg

C2

62.102.148.185:9771

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    newstart

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_wgwfvnfssp

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      e-Payment Challan. R5364_08334_46915919.exe

    • Size

      624KB

    • MD5

      3a57683b6d649f0c6a68b25b12376985

    • SHA1

      62d75aaac7781351b4862a330dd3338b52c104b9

    • SHA256

      f7136ee5b078113db290b5d48216e48a13810aaa7f93ad9f15aef58b756e51c7

    • SHA512

      6e5eb8c3599d15b7dc79a1b1d71fcfa0efff3a46ee96745567a205ed4a167465f185c8d5e43543e7734802398c9c9715c68c3d95acd4d5a87b206be34b3166be

    • SSDEEP

      12288:1oNR4EoOBKMNHlg0f0479/tjiDcRvxXgnSnpZ1vvQZRYQrpEAmD:IoOBrBlj9i4J5gnIb9g

    Score
    10/10
    remcosggrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks