Overview

overview

10

Static

static

3

9eb61a37bb...ee.exe

windows7-x64

10

9eb61a37bb...ee.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe

  • Size

    863KB

  • Sample

    240508-s9ggraed53

  • MD5

    dabe08d54fa304acf839f180c0ee1211

  • SHA1

    34e9389367fffbf9edf77b4f973ff4f83bf14b87

  • SHA256

    9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee

  • SHA512

    61b26ac129410af9404e53bc575045ccbcc2fd6af16a5201f6cef47875d767c2511868edfa026f6374b86ec238ac4251263701c5a7a7ef50c3b4d8efda62b7c1

  • SSDEEP

    24576:epLBj972/zHgaqgEa8R4ztaRGcNpVnNRCxhO5shG5qt:el0/qgz8R4z0RDNpVTN5it

Score
10/10
remcosremotehostpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-KDW6BI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee.exe

    • Size

      863KB

    • MD5

      dabe08d54fa304acf839f180c0ee1211

    • SHA1

      34e9389367fffbf9edf77b4f973ff4f83bf14b87

    • SHA256

      9eb61a37bbe20ca7abc38da6d92b15c654ce3005eac451d16699a01b7c15b0ee

    • SHA512

      61b26ac129410af9404e53bc575045ccbcc2fd6af16a5201f6cef47875d767c2511868edfa026f6374b86ec238ac4251263701c5a7a7ef50c3b4d8efda62b7c1

    • SSDEEP

      24576:epLBj972/zHgaqgEa8R4ztaRGcNpVnNRCxhO5shG5qt:el0/qgz8R4z0RDNpVTN5it

    Score
    10/10
    remcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks