Overview

overview

10

Static

static

3

My 2023 Ta...DF.exe

windows7-x64

1

My 2023 Ta...DF.exe

windows10-2004-x64

10

Tier1.pdf

windows7-x64

1

Tier1.pdf

windows10-2004-x64

1

g2m.dll

windows7-x64

1

g2m.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16601138110.zip

  • Size

    103.4MB

  • Sample

    240412-cv2w5sff9y

  • MD5

    a8a2b1e178545dc2fa2e8ab3b1d3a982

  • SHA1

    a2b790e6f22cdeaaaec6df200dc9717a248f4698

  • SHA256

    ba8db0a36c729d98dc09fbd9c7ea62e1b62f5a435318af68bdb846063a325f21

  • SHA512

    00e705ef5d2db546e45a6d50703e0fba85dca3a749e0cc58d5f122b2b7be3ddc7e3d8ceffd4b60df2d12779d75febd5de1f39488334cdbba154a54c1b5f011ee

  • SSDEEP

    1572864:WwDvg0dZXY+6FlN0Y+urrFR9dXATcJxQzk2EHBzF0Spg5NT5cT8g1Z5a19xr02:W8o1NN0YJPATcAzk2EHBzFhpUNTC8gWv

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

clepdhunt.duckdns.org:4047

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-EN0WTA

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      My 2023 Tax DocumentsPDF.exe

    • Size

      39KB

    • MD5

      f1b14f71252de9ac763dbfbfbfc8c2dc

    • SHA1

      dcc2dcb26c1649887f1d5ae557a000b5fe34bb98

    • SHA256

      796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5

    • SHA512

      636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0

    • SSDEEP

      768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Tier1.pdof

    • Size

      102.1MB

    • MD5

      db0521bd7e4b9fc803f9a900212eea02

    • SHA1

      6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa

    • SHA256

      e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb

    • SHA512

      22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f

    • SSDEEP

      3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M

    Score
    1/10
    behavioral3behavioral4

    • Target

      g2m.dll

    • Size

      15.1MB

    • MD5

      f14c14a6d5b1613242f061030fdb9163

    • SHA1

      2a0d0c7ee40fdd3fe00a76b6d89c0e951deff8e2

    • SHA256

      ba23ee91a54d3da0e2142a90def9ea6ead953621fdbb2c9a568ab68247993b90

    • SHA512

      7993bd5510278adc273b4de6f62dc0eec06f12b294e62a9cf60319b2ae0bd1111a2aefb8af0876228d4c9e0a5d6e78fda5c494c6583ec92b6ba2b31be69dc4c8

    • SSDEEP

      196608:W0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVs4zti:WzvfaEog+4rdbUTFVe

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks