Overview

overview

10

Static

static

6

1099Misc.pdf

windows7-x64

1

1099Misc.pdf

windows10-2004-x64

1

Wrights 20...DF.exe

windows7-x64

10

Wrights 20...DF.exe

windows10-2004-x64

10

g2m.dll

windows7-x64

1

g2m.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16520114153.zip

  • Size

    113.8MB

  • Sample

    240411-aw7snsae6s

  • MD5

    f6b5ccabd03578cbf00b5006cb9dd620

  • SHA1

    36fd82507bc47496b82d8ccce99835a26ff72038

  • SHA256

    2e392a0fddd485b24600022bd5a5b99aa50d4104f7947afcd766f3627e06fc62

  • SHA512

    06653892bce2e933b27583502a3d95e8f73a96964583309ac7a1da6a5de142409de68021e87ba6258f52588a19ed9d7991f8f083604704c990ddfaddc75e43fa

  • SSDEEP

    3145728:ytqafMvq3OGtC9i6Kk7fsSpoboZ9ZQx66aIKPpzxiaLWwP:UqaUvqoT7fFpoUZ9ZVrpzMAP

Score
10/10
remcosremotehostevasionpdfrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

clepdhunt.duckdns.org:4047

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-S0GVOJ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      1099Misc.inf

    • Size

      130.0MB

    • MD5

      f158d3387c6e2cb1b482f7b7abee7e20

    • SHA1

      9aadedb8049339dd027a45bc733caa1f6f3dc7a9

    • SHA256

      c052369f476b624913e8aec1a3ba729d30b5d5f145c4c5c58d64f7d09cfa54b5

    • SHA512

      93e92533c93d966007eaf6fb35772e362326eb8bd321f1db28cfa98943277589a393081157a8832f162776127eb91974e3f93a2ea3475e936db1f228973bc40e

    • SSDEEP

      3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWp:

    Score
    1/10
    behavioral1behavioral2

    • Target

      Wrights 2023 1040 W2s TaxDocumentPDF.exe

    • Size

      31KB

    • MD5

      3e71ed46603b02a94b921411a19b7a5c

    • SHA1

      b1374ef6717635d07015d8acb700cf95b2a66b12

    • SHA256

      1131f33552a12921f6f4d7d9e503feae4b12c367d5377e226acf270f6b58ca6e

    • SHA512

      28555a8bf20e4f8d42b21685c06e429bc5261f75e9fb65b970a322907d7da4a4ee7d367f4637ea4abb6ef32fae8e71a9d92b4f253a201e94548d68281edccbaf

    • SSDEEP

      384:e8Kj/M8yEryzqEt7a9Oey+IFdP64VYaEwDtiBgxoxlnLr2STcEICxXBhgBx4eMDa:eDD1r+VWOV+csoHViBBn+EFIqeMDGvaS

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      g2m.dll

    • Size

      200.0MB

    • MD5

      20c883bfc44dcd6eda231560851723d2

    • SHA1

      f479834bfabb38c950a6b2a00f87bf7cdc5e80bb

    • SHA256

      570104241aec8d351f43c141352ceefafdad2778edd9dc455aee59f3d5ce250f

    • SHA512

      2afa9ed3ded2d1658e1bf3d0b2ea753b302f559feb6de2478dda8f98e757b7a6397b39f284c51ab8822b7585728ae159f12ebcefc456fbdc7c5d55f9f476077d

    • SSDEEP

      786432:3UP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpH:3UP7GCG64Srkx1hSzYsHQD3t/R

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks