Overview

overview

10

Static

static

3

P.O_Qouts_...DF.exe

windows7-x64

10

P.O_Qouts_...DF.exe

windows10-2004-x64

7

$PLUGINSDI...ge.dll

windows7-x64

3

$PLUGINSDI...ge.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    27082024_0700_26082024_P.O_Qouts_t87E90Y-E4R7G-PDF.rar

  • Size

    532KB

  • Sample

    240827-hsstcazepn

  • MD5

    4505cfb063e82ebb6c18b5364a2f362c

  • SHA1

    ac69d937a41129473348cc093d1d5a3e483aa33b

  • SHA256

    e505a5d55f478d0fe82ed880dd7280bd0c996c61f81b7a29833a3dccc9640832

  • SHA512

    d6a79dc433a83b3dde637e6cd9f298bc22a670863be1e6cc1f310523a2023e0e371d29605e3f24c61610e8836472b0d48c77c57efc7fc58dfcc5cf5a93a785bc

  • SSDEEP

    12288:sIUEBRBtWa57yIjVGgq4PpzpTyQYyoumQZUMi41qQIrxm:sIUEbBtWa59NqCpzpTyQRodQOM1

Score
10/10
remcosremotehostdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.18:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-HP1D61

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      P.O_Qouts_t87E90Y-E4R7G-PDF.exe

    • Size

      636KB

    • MD5

      c1c571c4f8f69d3c8aa0ec091173bd5e

    • SHA1

      a36ac174f8ee2ed2254f69a21799837af58071f2

    • SHA256

      d7cf40360b1dd35e6a20b8639f0fe9cc918157de07ff248983db6f0ee1472dbb

    • SHA512

      08b540ab5ebb986cc43add736aee38d11a5f0da5252384bb30c7ca7f7b464e63debab4cec5a3dd122e3280f26e57e5ac8adc171e237a681d0e95239bddc11a1d

    • SSDEEP

      12288:5rRo7TKXllTfhmiKdHEHPSXbOp/NoJnYRlXO3iBM4ILaa+Brt:JC7TKXlFfsiMEHPSq8YfMiBMh+ht

    Score
    10/10
    remcosremotehostdiscoveryexecutionpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/BgImage.dll

    • Size

      7KB

    • MD5

      a615e590815c8a602bb697ccd2421c38

    • SHA1

      c88e5006622146b3d5acbdc3639bad06066c1c0c

    • SHA256

      446a45a23c01944a0c23f59f4967890f199d7f4bca77793c4e1a54c04bdef44d

    • SHA512

      a45c4c177db16e9f0b122c45cd16b856b4f99a33052c4e248d5d997a4eedb2be690a797a92d042c3de62ee098cb1b2be8cb9dae2d8b11cfcff77fd46d7902f90

    • SSDEEP

      96:8eM0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqkvnLiEQjJ3KxkP:tuBfjbUA/85q3wEh8uLmWLpmP

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      9KB

    • MD5

      eb2c74e05b30b29887b3219f4ea3fdab

    • SHA1

      91173d46b34e7bae57acabdbd239111b5bcc4d9e

    • SHA256

      d253ca5aba34b925796777893f114cc741b015af7868022ab1db2341288c55ed

    • SHA512

      1bb035260223ec585170f891c2624b9ae98671f225e74b913b40bb77b66e3b9c2016037bc8e4b0ae16367d82590a60a0a3bd95d05139ea2454f02020d1b54dae

    • SSDEEP

      96:oVDlD3cd51V1zL7xqEscxM2DjDf3GEst+Nt+jvcx488qndYv0PLE:oVp34z/x3sREskpxjdO0PLE

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks