Overview

overview

10

Static

static

3

z1PROOFOFPAYMENT.exe

windows7-x64

10

z1PROOFOFPAYMENT.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    z1PROOFOFPAYMENT.exe

  • Size

    963KB

  • Sample

    240422-thxv4add2s

  • MD5

    3b8dd99d65b19a84a276a05804005790

  • SHA1

    c300f31e8e67b4bd92504b94d5d2294b0f8ef5cb

  • SHA256

    efbde8c3fc0f8f18b6b2c93fae4c7aaaa137f866a9d112ebdc534b8477485261

  • SHA512

    6c15f448fdbe5cd63fcb010aae0aa253f9a9702d1edf7527ab73917896fd83b9f5bbd25f8494deabf7c612f7cf3448115f4f9925beaedf395e534158fb630bb5

  • SSDEEP

    24576:uC8wC9aeW7T4WfjBrAodA0bbwkTQ8NmCQN0iiLX:uCG9+FvbzaCQ1

Score
10/10
remcossthostrat

Malware Config

Extracted

Family

remcos

Botnet

STHost

C2

89.249.73.162:2479

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TH3UQH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      z1PROOFOFPAYMENT.exe

    • Size

      963KB

    • MD5

      3b8dd99d65b19a84a276a05804005790

    • SHA1

      c300f31e8e67b4bd92504b94d5d2294b0f8ef5cb

    • SHA256

      efbde8c3fc0f8f18b6b2c93fae4c7aaaa137f866a9d112ebdc534b8477485261

    • SHA512

      6c15f448fdbe5cd63fcb010aae0aa253f9a9702d1edf7527ab73917896fd83b9f5bbd25f8494deabf7c612f7cf3448115f4f9925beaedf395e534158fb630bb5

    • SSDEEP

      24576:uC8wC9aeW7T4WfjBrAodA0bbwkTQ8NmCQN0iiLX:uCG9+FvbzaCQ1

    Score
    10/10
    remcossthostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks