Overview

overview

10

Static

static

3

Tax Organi...er.exe

windows7-x64

1

Tax Organi...er.exe

windows10-2004-x64

3

Tax Organi...2m.dll

windows7-x64

10

Tax Organi...2m.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    19042024_0340_2023 Tax Organizer.zip

  • Size

    10.6MB

  • Sample

    240419-d8xp1sff94

  • MD5

    283f7eabb82f578f49510915c4b2bf4f

  • SHA1

    719ddeb335d1a6ce6d58826a363e249d974b82f7

  • SHA256

    bd8ff468b6fb4958059537257894153fc0cb9eb43f4a05c0b7c42ddd0fac7df9

  • SHA512

    c5fd5916505024bca1c9fbbdadfb8e851072a8923d469778aefa7445aa174040494dd23ec32e5f55b9be1fb1db4bc710ea62191339432b412289a290a741c512

  • SSDEEP

    196608:Kr1D+scr7majR7NAiGmVRui3sBpQnAuRjoks+NhRKzxcneL94YoNpZVlV:KBD+sJ+2rmt3sBpQn7RkR8G94tpZd

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

faststaynow.duckdns.org:5057

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-DRFJJD

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Tax Organizer 2023/Tax Organizer.exe

    • Size

      31KB

    • MD5

      4db45c5fdb9e115b922bdf007523f082

    • SHA1

      90297382a170ff3ea7931db2425329d0b2f70f04

    • SHA256

      a73709c1b5f1f875ee35f477c4e263a57050c36e2cff31ad1ceca17d9623e7cd

    • SHA512

      7f0bcb2ee96c523cce764d1ec7d197d3aadddcf6fae71b63e88c3a26883b2f2fb4a446187adfbb023be779056ebc0ea50a785c72bbe97bb7dca41a810d0ff6c7

    • SSDEEP

      384:V4Kj/M8y6ryzqEt7a9Oey+IFdP64VYaEwDtiBgxoxlnLr2STchsCxXBhgBx4eMDg:VHDXr+VWOV+csoHViBBn+hRIqeMDGt

    Score
    3/10
    behavioral1behavioral2

    • Target

      Tax Organizer 2023/g2m.dll

    • Size

      25.9MB

    • MD5

      485b8cc54d8a2fc27a1c0c1cafe21811

    • SHA1

      b0011058e2babc680273aacf9eb382e85532d5a5

    • SHA256

      2643dbabde4595b6505a2c5f74810022a75322cb1c0a7a889783ad794f55df7d

    • SHA512

      e7e7c207d76e00b047875b0937b6b81dbfd2623095095aaff656e2b9c90c49b5ba710bf9f997af346a928f7d1967cb39ee842e6ee62792aa5d100d90bdd86560

    • SSDEEP

      196608:+5H3zHriM3lONIfjm0S6VFWxtswdO8Nw3MRfW8+IiAp7kz8roTsWbbh7nkMM9haK:8rmKSPoTsWbbh7nkMGRNc4Y/kyZpJIgi

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks