General
-
Target
5aebe72f050d5977cccf05c5c21bd56dab2c8caf96b9edcf9b1bcfabcf0702fc.rtf
-
Size
74KB
-
Sample
240419-btj49sdg2x
-
MD5
9278d07272accaf33d132bb6dbf6a7e7
-
SHA1
2baca87c9698a70badda973491cdb8fdc82982d5
-
SHA256
5aebe72f050d5977cccf05c5c21bd56dab2c8caf96b9edcf9b1bcfabcf0702fc
-
SHA512
34efd47cc1960994b46211979e0f2cc158d3a87d1af61e9d904d28481a3313129100c46556caa9c27e9309aac162a354df8893d1211ca85d17947b8daf5c405e
-
SSDEEP
1536:TdgqOavGX0Rg0irVBw0hyRHnmAZwzWsl9fvIeFWnRmTM3PdCxjws1fEheLL7Xbl5:Td+avE0Rg0irVBw0hyRHnmAZcXfvIeFN
Static task
static1
Behavioral task
behavioral1
Sample
5aebe72f050d5977cccf05c5c21bd56dab2c8caf96b9edcf9b1bcfabcf0702fc.rtf
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5aebe72f050d5977cccf05c5c21bd56dab2c8caf96b9edcf9b1bcfabcf0702fc.rtf
Resource
win10v2004-20240412-en
Malware Config
Extracted
remcos
RemoteHost
sembe.duckdns.org:14645
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
notess
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
Rmc-P0AEMX
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
take_screenshot_option
false
-
take_screenshot_time
5
Targets
-
-
Target
5aebe72f050d5977cccf05c5c21bd56dab2c8caf96b9edcf9b1bcfabcf0702fc.rtf
-
Size
74KB
-
MD5
9278d07272accaf33d132bb6dbf6a7e7
-
SHA1
2baca87c9698a70badda973491cdb8fdc82982d5
-
SHA256
5aebe72f050d5977cccf05c5c21bd56dab2c8caf96b9edcf9b1bcfabcf0702fc
-
SHA512
34efd47cc1960994b46211979e0f2cc158d3a87d1af61e9d904d28481a3313129100c46556caa9c27e9309aac162a354df8893d1211ca85d17947b8daf5c405e
-
SSDEEP
1536:TdgqOavGX0Rg0irVBw0hyRHnmAZwzWsl9fvIeFWnRmTM3PdCxjws1fEheLL7Xbl5:Td+avE0Rg0irVBw0hyRHnmAZcXfvIeFN
Score10/10-
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-