Overview

overview

10

Static

static

3

InstallerAPI.pdf

windows7-x64

1

InstallerAPI.pdf

windows10-2004-x64

1

Tax Organizer.exe

windows7-x64

1

Tax Organizer.exe

windows10-2004-x64

10

g2m.dll

windows7-x64

1

g2m.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16573267458.zip

  • Size

    103.4MB

  • Sample

    240411-c3m3ysdc4s

  • MD5

    2fff95aa3a040176b8164474a7b5476f

  • SHA1

    a9fd1efc86de140c6fff51b64581deeb98a494f8

  • SHA256

    3f0e07fc6345cc179b7571de8b9fb2bfee2f9bef92a4ec224b4e034cd49e697f

  • SHA512

    9ba17cde95c39b06a7547f310c0c4d0329cb4dfce00f8ebc83f905a9deb48a1115eb7555fea9ddc5cbbfe69027af20b1bb8646c7af4fec66818130d12c534192

  • SSDEEP

    3145728:V4THTqJkldBUEiVrMJ9aNuHDAiCaJbzour:yT0WdBUEbJ9aEHsiCwbzour

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

flysafemyguy.duckdns.org:4047

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-872KQZ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      InstallerAPI.inf

    • Size

      102.1MB

    • MD5

      db0521bd7e4b9fc803f9a900212eea02

    • SHA1

      6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa

    • SHA256

      e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb

    • SHA512

      22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f

    • SSDEEP

      3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M

    Score
    1/10
    behavioral1behavioral2

    • Target

      Tax Organizer.exe

    • Size

      39KB

    • MD5

      f1b14f71252de9ac763dbfbfbfc8c2dc

    • SHA1

      dcc2dcb26c1649887f1d5ae557a000b5fe34bb98

    • SHA256

      796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

    • SHA512

      636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

    • SSDEEP

      768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      g2m.dll

    • Size

      100.0MB

    • MD5

      448de2bbd26b3dd436ad590497c36779

    • SHA1

      595f23c3e5ace472e888bd429107f901cd230d0b

    • SHA256

      4bcaba254171a6aed68dc2c893207b1f5ad3c2d2a650ff18a4d2d1cd0c7f0ed6

    • SHA512

      c747a4d02108fb07e5f967b50a912a181e8f9b664f47d22a6ac0ee785144e272c133bfbfea97d61d53396dd42158fb308c5452575a3d01d02ac06d759d52dbb6

    • SSDEEP

      196608:Mx0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsv:MxzvfaEog+4rdbUTFVI

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks