Overview

overview

10

Static

static

3

b4ca0b94b1...e8.exe

windows7-x64

10

b4ca0b94b1...e8.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    16e2d29365a7362d9c0d83fe0664cceb.bin

  • Size

    1.4MB

  • Sample

    240824-bc2yraxbpb

  • MD5

    1fc2e1acecaa0c091dfdc0be1b3369f4

  • SHA1

    f992fcabe3b722b514aa7e5b9e48cfcd336fb0ac

  • SHA256

    e1f031e6774ad4f0701e5477b55e90d5cdb444ee7754b42cbcbfd7b7de5e09cc

  • SHA512

    e37b72372462bca39662e7d91baf776a5560b45000107eb11d5ade8fe65ee6586a631ec8f632483228ea34bb97dcacbd3b7621a24d0ea247624b78c147fe74f4

  • SSDEEP

    24576:+mWUmFyQKtSom5WY2Q8Cr7tVBkZNy4639R/DaCp1eR73/:4BnASlWNQcyBb/eR73/

Score
10/10
remcosonediscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

one

C2

101.99.75.178:2404

101.99.75.178:8080

101.99.75.178:80

101.99.75.178:4899
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    xkosl-VDHNPT

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8.exe

    • Size

      1.5MB

    • MD5

      16e2d29365a7362d9c0d83fe0664cceb

    • SHA1

      44e354aa9368155ebc2141b6e1ccb0b4b010c717

    • SHA256

      b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8

    • SHA512

      d6ed135c0c0eea9ae5c6ac2bd881e8431c77c0541782a06eb22c528e3756f7ece5f582f136ecbe20798652edb63f2474e8e8d67ef3836c5485a76a34a770456c

    • SSDEEP

      24576:UzZj1vnMyW6veAP/IjOyRokfEOHnQkgDG723byW2HCss3S0avVBbrYrfEXKfs:UlyyWuA6sj3QkgiW12i40y6MXK

    Score
    10/10
    remcosonediscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks