Overview

overview

10

Static

static

3

InstallerAPI.pdf

windows7-x64

1

InstallerAPI.pdf

windows10-2004-x64

1

MY 2023 TA...DF.exe

windows7-x64

1

MY 2023 TA...DF.exe

windows10-2004-x64

10

g2m.dll

windows7-x64

1

g2m.dll

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16612436834.zip

  • Size

    103.4MB

  • Sample

    240412-cqb5xscd28

  • MD5

    cbee57e5d78eaef9f93af38fb3cd94e0

  • SHA1

    0c61191edbc40642acba9fcfdb5faf7e99080466

  • SHA256

    5a98e027413c17a092d04b5336448316b0933e5cfd0dac15c3dc2097d854f807

  • SHA512

    2f13e80d445f4b6fefe8eb6acfdec5bf69cef4bccb303a38299e88c03c099ce7d300fda0febcb70a4f69b7944cd2dbd4a035ee88deb29b9efd38979e94cdbdcf

  • SSDEEP

    3145728:gQLf+BY3nbDhQxxQ9hmUGktVorViO6ure:5LfXXvmX6Fzh5

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

193.142.146.21:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-WNCE10

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      InstallerAPI.inf

    • Size

      102.1MB

    • MD5

      db0521bd7e4b9fc803f9a900212eea02

    • SHA1

      6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa

    • SHA256

      e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb

    • SHA512

      22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f

    • SSDEEP

      3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M

    Score
    1/10
    behavioral1behavioral2

    • Target

      MY 2023 TAX ORGANIZER_PDF.exe

    • Size

      39KB

    • MD5

      f1b14f71252de9ac763dbfbfbfc8c2dc

    • SHA1

      dcc2dcb26c1649887f1d5ae557a000b5fe34bb98

    • SHA256

      796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

    • SHA512

      636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

    • SSDEEP

      768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      g2m.dll

    • Size

      15.1MB

    • MD5

      53cd4b218deb3fd9b31ae4f54daf0e0b

    • SHA1

      1fdbcd6296487943b57c073a5a0aac36fead5f1e

    • SHA256

      6edc001310ea4896cc410b9d5dd8beaf912f8a71f1be60c139780d0bf5507007

    • SHA512

      771fa9878109ee683733ac930fc828b3448d31b41ca50202952a44bfc0c8a32b75343b814d1f5d054a3272d0b9c11e245c562c9a3799fffb2ae677c3ea4c04aa

    • SSDEEP

      196608:/m0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVsIE:/mzvfaEog+4rdbUTFVjE

    Score
    1/10
    behavioral5behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks