Overview

overview

10

Static

static

3

e8eb6be89b...33.dll

windows7-x64

1

e8eb6be89b...33.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16594936431.zip

  • Size

    17.5MB

  • Sample

    240411-aq84jsad2y

  • MD5

    0362ad6a6be944da935487b6990fd1fd

  • SHA1

    7d34e49e19cc79819b057dfe05cd90eb33c37342

  • SHA256

    338c23abbf9f4d792d9bac20f519c89fafc6d340dbfd7afea56ebb5ea8f449b5

  • SHA512

    ca05a5ba60aa55e81e7530b415bd3bd27cd87de22f8bd858acba5f9b059168372968b2effd96b4db1a4c7dec240df43ede906f666f00fe897320a393808ce5a0

  • SSDEEP

    393216:NAryVUxcxFoIX68OAihvanABecJJULa/3kKopJWa0:NdUyxFoN8OthvanAIYO+/+pJWr

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ogbatobanana.duckdns.org:4047

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-0R92B3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233

    • Size

      150.0MB

    • MD5

      3ceefa7bd30b2b5494c2cdb64342835c

    • SHA1

      ef4cad7600788cc696cec53480dcfb67a5143adb

    • SHA256

      e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233

    • SHA512

      a3f88fae400037427d3068d583317c08132ff936c21c3fa38a97afedb9b614302228903973ed3aa8b41fb266f5e1aa3c7550ce4b4653ea9d4b1c06a0c350880f

    • SSDEEP

      786432:7UP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp:7UP7GCG64Srkx1hSzYsHQD3t/R

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks