Overview

overview

10

Static

static

3

PO.34JK.exe

windows7-x64

8

PO.34JK.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    23082024_1353_22082024_PO.34JK.zip

  • Size

    919KB

  • Sample

    240823-q62x6szgkn

  • MD5

    09d37906a36d47d79ab3d0a836c404b5

  • SHA1

    3439b23df57c426adf47e4b83430cd447251bea5

  • SHA256

    31542c2f7fd0a91f93aa7f3b9cae22f0a22290d3d6b55040fe5e1baf2891deee

  • SHA512

    9488b4cdac41302fc6533d431fb90794cc910463c96cdfcdbeb27bf774f541bfbb9cc4a848232984b8a325323421a9eee532cfad06c2697fb16fdc590bbe1426

  • SSDEEP

    24576:TP00pjGlS5u06tNUqq03eW64hm+07IOR1m8Z9k1GoTs7wBsfo4MD:TPxpn0tuAm+DssiS1yKj4MD

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

91.92.241.131:14646

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-9EXO78

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PO.34JK.exe

    • Size

      992KB

    • MD5

      84f5fd95c890c91277e7df55814ebd2a

    • SHA1

      c2f46d2bba69f1a136ee0bedc95d790294d588ba

    • SHA256

      d80ce34f15564cae781c02bc3ee2f25a8f44e6ae54ba162e5f9027a7dd43b071

    • SHA512

      06ef0d02eee2313eac8a05a365d1096691167990b530039d16e5ae4baff37607bb5ad1ac55069195afbf600de3824921da75a930a5413d038bc88732b3d27d8e

    • SSDEEP

      24576:1FBGzS58063NMqy03IS2MVm+i/IORHmY/9k1iobs7SBkfk4Mt:1Frsl4Um+LsGaS1K0V4M

    Score
    10/10
    discoveryexecutionremcosremotehostrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks