Overview

overview

10

Static

static

1

BCC0174237...BL.cmd

windows7-x64

7

BCC0174237...BL.cmd

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    25052024_1102_23052024_BCC0174237 DRAFT BL.Tar

  • Size

    753KB

  • Sample

    240525-m5a7aaeb61

  • MD5

    df7184b7ac6ce80047603d20e931b839

  • SHA1

    c60a433afdb0e616cdac8d1de19d886066d456b4

  • SHA256

    912b9cf7a4906c96b43814617ea1814872ce14412561246c6c59c85901f46821

  • SHA512

    916f672be18d0070680862f788938215d02e63aeb2c66f2aa58dd40a25484d0ff20fdd8da9fbeb45e7ba7d9469f89fed40cbc15df574b19cfbb08b95537c54ae

  • SSDEEP

    12288:loFaPq6aZZm81PrWFydhQ2YThPkulcevqZXJT6KikgR9O49BmcdK98H8htYk6XKx:ZAFtrWeLYpkuxvqZX0/TNkm8fY9avgp8

Score
10/10
remcosdodocryptpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

DodoCrypt

C2

172.208.52.39:5404

172.208.52.39:5403

172.208.52.39:5402
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    soon.dat

  • keylog_flag

    false

  • keylog_path

    %UserProfile%

  • mouse_option

    false

  • mutex

    ioioeioeioeooeoioe-YSHXR1

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      BCC0174237_DRAFT_BL.cmd

    • Size

      4.0MB

    • MD5

      0889785a3d5ca52a21524b294eee7fbb

    • SHA1

      2b1ea80536647537cd5cf9ce6305815f8792b6e2

    • SHA256

      15ed7a1bb6747d6afb7c1665ba33c30c4fa611bc840a8f4e48a8681344419ba1

    • SHA512

      f4e9a26a5f01b39bc391b85eeccb19d46d145cd9338cff0b3e4c53b90d84748c7f12d98597e58b65a5cec98b25ae3e1441332ab7478d38f2fe6eb7c313763fe3

    • SSDEEP

      24576:VOHooIG6mM861SoDFFfcTBmMTdcIxBJGhRCyNaiBKkPK5:VOHooIBPLs/mMRcNaiBKkPK5

    Score
    10/10
    remcosdodocryptpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks