Overview

overview

10

Static

static

3

HTQ19-P040...AN.exe

windows7-x64

10

HTQ19-P040...AN.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    737b1925f1d948ace5796ba229057715_JaffaCakes118

  • Size

    375KB

  • Sample

    240726-lgxvpszajk

  • MD5

    737b1925f1d948ace5796ba229057715

  • SHA1

    026c18e0feb50e1e4bd3a5ce51860534bce408ce

  • SHA256

    aa966e13129d97d07b3b2b8e08e3a85a4369a9e4e871b6b79f5debabca33308f

  • SHA512

    ce050a2c93d55974e55bfc57d44e9519a48bbbebdce4195f274ac0727fe9761d6a5f9eb421e2f355eb7db97eb245437328daef4c859fa039ba02636e86ae1471

  • SSDEEP

    6144:6EHT/PYTr4xOmOFy3O2unGtIbshHyYxE17ICNP9v1Cd/oPlSa3:6TcizG2boHyY217ISv1KQPsa3

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

3.0.1 Pro

Botnet

RemoteHost

C2

capriteam.ddns.net:1010

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    true

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-VHHYND

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      HTQ19-P0401-Q0539 NE-Q22940 GR2P5 TYPBLDG-NASER AL FERDAN.exe

    • Size

      412KB

    • MD5

      8c359e6a1e069354f3c7ceb5457157e6

    • SHA1

      b1d305325bdf240f374de2f10932db83290199ff

    • SHA256

      598fbc003f3775d3441846dec51317b6e81422a78c9a0d1b53353025d6953175

    • SHA512

      98292df3fdc144f80b0e5c0f767323c65b1284a2adc282c528428f80b0b4045d50fa8f168c7bec9541e62b11548c177a552bd5d49f62ebf0a6a2174df234a613

    • SSDEEP

      6144:wqM0Y9PoTx4xOm6FylOUunSxIbshHuYxE17ACbPTvPCd7oPhUumf:MiW85S2boHuY217AyvPKUPm

    Score
    10/10
    remcosremotehostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks