Overview

overview

10

Static

static

3

869d82f75b...1d.exe

windows7-x64

10

869d82f75b...1d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe

  • Size

    604KB

  • Sample

    240511-b1ehcsdh6y

  • MD5

    ffc880a6448b251eee7f03809bf0a1bf

  • SHA1

    09e75e38d588b0e99a3f6f85b2dc4a3eebe4ee08

  • SHA256

    869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d

  • SHA512

    21dbc92495d2afa76e2e0b7243586ce70889e6cf1240222f1c75aab217df9a0287f9b9b5f3c754011ecfec411c2677c3fd091bcb2b620205c2c97db564b7b180

  • SSDEEP

    12288:O+DbgZB778Qed59T3C6g9XltKMYicJgTx5bx4OVEIHDe2RZQioKEAmD:3gZBS9TbgoMpcJ+Tbe7Ye2nOK

Score
10/10
remcosnhsexecutionrat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

NHS

C2

185.189.112.19:30311

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    nhs

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_lejjhxgdnt

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d.exe

    • Size

      604KB

    • MD5

      ffc880a6448b251eee7f03809bf0a1bf

    • SHA1

      09e75e38d588b0e99a3f6f85b2dc4a3eebe4ee08

    • SHA256

      869d82f75b419b649177813ee10ff71987aa775e0c86868bb952aab22f6fe91d

    • SHA512

      21dbc92495d2afa76e2e0b7243586ce70889e6cf1240222f1c75aab217df9a0287f9b9b5f3c754011ecfec411c2677c3fd091bcb2b620205c2c97db564b7b180

    • SSDEEP

      12288:O+DbgZB778Qed59T3C6g9XltKMYicJgTx5bx4OVEIHDe2RZQioKEAmD:3gZBS9TbgoMpcJ+Tbe7Ye2nOK

    Score
    10/10
    remcosnhsexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • detects Windows exceutables potentially bypassing UAC using eventvwr.exe

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks