Overview

overview

10

Static

static

3

16e9bc6afb...ce.exe

windows7-x64

10

16e9bc6afb...ce.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    08aa3bfb5f56d17ce70299a7ac6680738f95df00da7445f6ba4d7064dfa73d71

  • Size

    860KB

  • Sample

    240417-p3672she21

  • MD5

    fb5c38515de68f206ca78e8326ecdfa7

  • SHA1

    f7d08eee41cd1b694c288aa8fcbdb883ecda740a

  • SHA256

    08aa3bfb5f56d17ce70299a7ac6680738f95df00da7445f6ba4d7064dfa73d71

  • SHA512

    5f2b0f088347632842328b572dbbb97ba579720126a82861eec175e061d112348eded75be5a6ba729b42770e3a38b4b2c81ad7960c5d6d9b0db92a76c0a9d4a7

  • SSDEEP

    24576:jDlyKtrEyjggEAOyd/awaydOrwiXj3kU/2GwlxIe:9trEMg7waB1j5bwlWe

Score
10/10
remcosremotehostrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

91.92.244.17:2707

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZBS4C6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe

    • Size

      884KB

    • MD5

      cb60f9802b22337e3182ff3045e848fa

    • SHA1

      b3d29c2524c103e786e2a73c3dfdbe37b8e0ee28

    • SHA256

      16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce

    • SHA512

      bb7a9e679caa06f904eff2b4f08006d2cbeae03dfaa9e7a6b90e667040bedee607c8d147a16b56d5ecae99a11e0e9f6fdafc436f48867e12022198020f749be0

    • SSDEEP

      24576:6OKGhEYdA9mPUiGZHQZcrOuP115OI7BN1:dKGhEYdAMfhSd155B

    Score
    10/10
    remcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks