Overview

overview

10

Static

static

1

6a2bece56f...a8.rtf

windows7-x64

10

6a2bece56f...a8.rtf

windows10-1703-x64

1

Resubmissions

18-04-2024 18:22

240418-wz4q3scd8t 10

18-04-2024 18:21

240418-wzr3aabc36 1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6a2bece56fe02b45d810a7bee948a695a546fa20d6a41059881e4f5cd8d3c1a8.zip

  • Size

    22KB

  • Sample

    240418-wz4q3scd8t

  • MD5

    4568a0523f2c2d188a0a03c7821316a9

  • SHA1

    3c520c01a93ee71ba1356e05ce0d6ddefd5dfc44

  • SHA256

    0b6bdc1174df667ccb20b2da74d9236947446e4ec60838d1a9b432a072d6b537

  • SHA512

    13065b8536763bb5020fff453d83e7226ce7a2ef94251389034b13adb07947f05ce6034d43154734e1a4768aefcc4a7a7ab74b0bc98eb1632ec21d70119b9ee4

  • SSDEEP

    384:oUugvbLwd/Qa1/RAIIkbJLFqeq2se4Nj4RcQD6U79cKbEjXL864pwM:G/QG5AIItAzyic06mwjX46a

Score
10/10
remcoszynovapersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Zynova

C2

remcjulia.duckdns.org:14645

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-76C83U

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      6a2bece56fe02b45d810a7bee948a695a546fa20d6a41059881e4f5cd8d3c1a8.rtf

    • Size

      73KB

    • MD5

      f2f68348f362c4e57a14b9c05e2e8e9f

    • SHA1

      4a7ea1d1dc020f606a71ec2dc180797c4399b226

    • SHA256

      6a2bece56fe02b45d810a7bee948a695a546fa20d6a41059881e4f5cd8d3c1a8

    • SHA512

      1e469d0e2b40425a62a6fff84d4f06d25e5dbebc62ed296b272640ce731b28706aa54807da4d1074c9d0aa5b9c1e3278c38a1f72bf1429e548806b03f0532611

    • SSDEEP

      1536:9istY3tmRjSnQZdvPHLXEc5J1jQ1bL+jmfkOXAC3qrsGYX3wmPC+tJJROtgIrsJH:9irtmRyOvPHLXB5J1jQ1bL+jukW3qrod

    Score
    10/10
    remcoszynovapersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Adds Run key to start application

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks