Overview

overview

10

Static

static

5

invoice-QW7008660.exe

windows7-x64

10

invoice-QW7008660.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    97763a2310ecfac75b30fe3c79a51b3e7d3eb9eb51cffbc524f999d2e998fcbb

  • Size

    834KB

  • Sample

    240822-sr1gxawhkk

  • MD5

    421fd92ed467f9495c7f91f6fa70bed1

  • SHA1

    f61f0b5ed5f0a840757c1764c414fb42e855605c

  • SHA256

    97763a2310ecfac75b30fe3c79a51b3e7d3eb9eb51cffbc524f999d2e998fcbb

  • SHA512

    eea5b9aaaf47c9c95dcb4321c9e89d2940ad2711eef5b506be8fb35597c215ba5c12d51f0c5045c96b259e97cff2b92dfae7bf7324f375b43c57cf1c6a64954b

  • SSDEEP

    24576:+vGciqglpionzcW1//S5EowLS9a3T7wvJ9Dx/:X5qEiop1/aKhLSs3T7Apx/

Score
10/10
remcosappodiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

APPO

C2

pronpostavka.com:2559

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    chrome-EZMR6Q

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      invoice-QW7008660.exe

    • Size

      1.3MB

    • MD5

      d1d7a28422449d00071aee08f983ed7a

    • SHA1

      a60732a9bf48716a7853cede3f40d07408992088

    • SHA256

      3696fbaef6eb9a52fcad65eb7743ecb0047082d62b43ba72301d63467b7483ff

    • SHA512

      f10f9e09aa2e0d007e655601d2d9f555cd96cbc84344a81ed832524130b360f1db3575469dad91b6a64309743c585ff5029d3b2ab89517d0defe56a74dba0909

    • SSDEEP

      24576:vqDEvCTbMWu7rQYlBQcBiT6rprG8aP/BiA8NUa8AtmAwRLYqan:vTvC/MTQYxsWR7aP54wR

    Score
    10/10
    remcosappodiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks