Overview

overview

10

Static

static

3

dcdc99a71a...3b.exe

windows7-x64

10

dcdc99a71a...3b.exe

windows10-2004-x64

10

$TEMP/Part...ri.dll

windows7-x64

10

$TEMP/Part...ri.dll

windows10-2004-x64

10

$TEMP/what...60.dll

windows7-x64

1

$TEMP/what...60.dll

windows10-2004-x64

1

$TEMP/what...60.dll

windows7-x64

1

$TEMP/what...60.dll

windows10-2004-x64

1

$TEMP/what...60.dll

windows7-x64

1

$TEMP/what...60.dll

windows10-2004-x64

1

$TEMP/what...ps.dll

windows7-x64

1

$TEMP/what...ps.dll

windows10-2004-x64

1

$TEMP/what...ui.dll

windows7-x64

1

$TEMP/what...ui.dll

windows10-2004-x64

1

$TEMP/what...er.dll

windows7-x64

1

$TEMP/what...er.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b

  • Size

    721KB

  • Sample

    240410-jvcetaca6w

  • MD5

    ed8504a7a6f3377d677b97526a376e81

  • SHA1

    86a0376de9b9ee12f86ed24091bc151ebae7d147

  • SHA256

    dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b

  • SHA512

    624bd34a11ebc86976bfd36385c79cf1730f81ce16f1c4fbf8076e226056219deb132e629297729b415c3721114425ae12f3da8ff34a1e60827d0588e7b74397

  • SSDEEP

    12288:/anyMm4/gn9Otfj8QwCHPInVyTnT6+lyZsIhqV4mfSoi1f5N/yCjcbvsqUpR:5Mh+aNwSPInVyFlONhq2mKD3/yCjYpuR

Score
10/10
remcostreintayochorat

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

TREINTAYOCHO

C2

treintayochorem.duckdns.org:1010

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-H7ZOSI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b

    • Size

      721KB

    • MD5

      ed8504a7a6f3377d677b97526a376e81

    • SHA1

      86a0376de9b9ee12f86ed24091bc151ebae7d147

    • SHA256

      dcdc99a71af2d3db2cb3004dd3e91a4908d71a876179b447ed116742cff8ba3b

    • SHA512

      624bd34a11ebc86976bfd36385c79cf1730f81ce16f1c4fbf8076e226056219deb132e629297729b415c3721114425ae12f3da8ff34a1e60827d0588e7b74397

    • SSDEEP

      12288:/anyMm4/gn9Otfj8QwCHPInVyTnT6+lyZsIhqV4mfSoi1f5N/yCjcbvsqUpR:5Mh+aNwSPInVyFlONhq2mKD3/yCjYpuR

    Score
    10/10
    remcostreintayochorat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Loads dropped DLL

    behavioral1behavioral2

    • Target

      $TEMP/PartiShikari.dll

    • Size

      50KB

    • MD5

      8aec2b9bf7b0156601b5738445c89afb

    • SHA1

      72a3cf230083d1b882181bda3320ee5592a058d2

    • SHA256

      e288f1292df61e692e2ba9f2a163bcaa620403b30fad40155c37edc9c9e53f76

    • SHA512

      a92939475c2d0ac2331428d42628fc035ef98b3bb7ff9c154d99b441a38e11419de74fea0b07765de695dc02f0610ac9aba2ce7f82d500703b87f5f1183fe9ba

    • SSDEEP

      1536:dJOsygYsjOO8ziIJJNAB/qepudoVoD3Qu3IE:7s2IJM

    Score
    10/10
    remcostreintayochorat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos
    behavioral3behavioral4

    • Target

      $TEMP/whatnot/failure/cgi-bin/33.opends60.dll

    • Size

      52B

    • MD5

      4171519896113ebb515847ecec465a45

    • SHA1

      a8e9e98e95fd2d5335f804c19b60fbdbc7664f7b

    • SHA256

      d770c8767f6d7d51d919d5bef2e0ffb61b6dc2172e99b8ef83d2359f44f2b949

    • SHA512

      8344717c3de03812cfa2fdcbce071c5501608b63659133efea16457452676eb0babd587df06c260c9179d6bda7c8f41a42e9293e87b370fbb5f9f969d9316d47

    Score
    1/10
    behavioral5behavioral6

    • Target

      $TEMP/whatnot/failure/cgi-bin/69.opends60.dll

    • Size

      46B

    • MD5

      c169f4c07092a565283dd8ba7712484b

    • SHA1

      8871f882152339810da164120251c38500e76d0c

    • SHA256

      647a5c5fff49a5b936f92f1f074d2d8c66204ed486cec12d3fb2e3ce1e30dbe3

    • SHA512

      db49323c2e49799e916467cca7063d81aea0a7bda0c32484b9f637c46cf18d9400888ec536d75d32bcee483cf3e6dafe1c3a66f2ba326d36cff5be37417b6434

    Score
    1/10
    behavioral7behavioral8

    • Target

      $TEMP/whatnot/failure/cgi-bin/79.opends60.dll

    • Size

      49B

    • MD5

      39d618d08910862f6fa19763ef8eb95a

    • SHA1

      ec9946684d5e72dbc5bdcffa31167ad1a19e29bd

    • SHA256

      92d13bd99d241df155dd56df72168e7a10662364dcde27ef06dde39731b5bde6

    • SHA512

      ef157ac89850f9e5838c01307849aea5759868d045836b6fb3fad6834c5edde8882603e1a2f0aa4eefc5c37bb2583720f55263291fbfe902239998623be849f8

    Score
    1/10
    behavioral10behavioral9

    • Target

      $TEMP/whatnot/failure/cgi-bin/edbgps.dll

    • Size

      26KB

    • MD5

      2160b3e337a493ca6fe9c1a0cd8b7b82

    • SHA1

      1a5cd9e540bce012ef88c4778d359a0c20cc2cc8

    • SHA256

      234458831289380cecd07624c51dc31f97fa6d9f81ed29bbff17afb8a27332dc

    • SHA512

      15e086800b71137c4e44cac4aab6a3289ea644bbe4c11a915ecfdf1000f67b8a9ac590b8aa894be5e660227c00a9a9e63d9c61dd7dd1e4908398ef889dfc0e02

    • SSDEEP

      384:WV0a/hPqP4h1q8fJIlPPV0n64l6GGWkaQWW4u+R4Kyr:7EBKC64aaLK

    Score
    1/10
    behavioral11behavioral12

    • Target

      $TEMP/whatnot/failure/cgi-bin/hxvzui.dll

    • Size

      19KB

    • MD5

      d1edd5893ab8c84a1da1496431dc0e6e

    • SHA1

      ab9c1ba2c8196e4a70eba056e968bae2dcc4234b

    • SHA256

      3892293b799a4477676afeb50fe05ffeacd66810c318560e75c8c527cb43b93c

    • SHA512

      3bace3f5e6e7d4d5416956a9cff5820c3696d4a4cbb4bb846f13c6215bdd3a311e55b9bc4c4623fe3563854139d693037e06a21941d4833971fe63b8175a40ad

    • SSDEEP

      48:KLtvMMMMMZswSRbaWmJIEEiP88KBB8xvoW2ZWsHHtLON0Ohf5W+e22:Wtk0baWmrcdW04N0UBWHJ

    Score
    1/10
    behavioral13behavioral14

    • Target

      $TEMP/whatnot/failure/cgi-bin/sbsdiasymreader.dll

    • Size

      5KB

    • MD5

      ea10730088607402b9847df60ddf682b

    • SHA1

      28b4b4232bfa6ca50a219c812662b814c92a934e

    • SHA256

      f4f244516ff66af8827603af7adc897410760904067bccd793ce311c01e69daa

    • SHA512

      ed723d3adf51e5fb89ee32c1b082f1bfe4c87b3e43c9c326054ab6c9133e16c130886ef9bd0990dc376fb620b67c3f070843114f4f75c3d5824a050b47403812

    • SSDEEP

      48:C0ytDZk8cf6uE4PYPF18s42oTNZuvUtZWNHWHlDnIBSrSFg5WWrn56:7ytDZfcSu7gPF42ONY6Wt0JnIBdF0WP

    Score
    1/10
    behavioral15behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Tasks