Overview

overview

10

Static

static

3

Quote PBR0270824.scr

windows7-x64

10

Quote PBR0270824.scr

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    19ae3643afa6978f331d8b0a62693cf3dbd9d3d9263b649fd875fb39ad684394

  • Size

    312KB

  • Sample

    240903-t8ykba1ekp

  • MD5

    7b45a55f2e0386f9401b02b52af6d887

  • SHA1

    6921a071d71b77c7ebbf0b1a6e11a459b8b9af75

  • SHA256

    19ae3643afa6978f331d8b0a62693cf3dbd9d3d9263b649fd875fb39ad684394

  • SHA512

    b5944549b7ccafec385c10a769088b56eeb6fb8d579471057af771710bdb10453f7bfc5c1226fb60cb116fb1e87b17c6961cd00677b6ce206770ef1980314688

  • SSDEEP

    6144:Hcw2haD6zCSP6mL7Ag5UjmovwwW24yzGUOry+pMfO7yQOBUINyPq:8NAEv6mHCCovNW2YUOr7pMmYLyy

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ejikenewguy.site:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-E55SDS

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Quote PBR0270824.scr

    • Size

      324KB

    • MD5

      985d9eeed23248b4b8448fddc52e4137

    • SHA1

      4c9a60717d5a5696bb87cdbab9d0ad0fc9b5c95d

    • SHA256

      f9d403b0f6d3993624c7dff24e63c59ece712f8cd64fd6d87289db1959090543

    • SHA512

      37e8844a8a69081afd1a4738868d986a13f841b691168c4d0a1ad05ddedcad02384a6c9fbee067de77c9eb166825b08825d2b8c7842ae488d6a2089c0a7d9fbd

    • SSDEEP

      6144:P+K0WO4UhaD6zCSP6GL7Ag5Uj4oXwwq24yFGUOJy+pMfO7yQaBUINDPP:GW+AEv6GHCMoXNq2mUOJ7pMm8LDH

    Score
    10/10
    remcosremotehostdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      11KB

    • MD5

      cf85183b87314359488b850f9e97a698

    • SHA1

      6b6c790037eec7ebea4d05590359cb4473f19aea

    • SHA256

      3b6a5cb2a3c091814fce297c04fb677f72732fb21615102c62a195fdc2e7dfac

    • SHA512

      fe484b3fc89aeed3a6b71b90b90ea11a787697e56be3077154b6ddc2646850f6c38589ed422ff792e391638a80a778d33f22e891e76b5d65896c6fb4696a2c3b

    • SSDEEP

      96:3IsUxO9udx4qYp7AJb76BykUbQMtHUOA5Iv+RnsrqeXV+d1g2IW9t2c+cEwF9oug:YVL7ikJb76BQUoUm+RnyXVYO2RvHoug

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      6KB

    • MD5

      b2639b996a3d69541c78642772283e9f

    • SHA1

      e8a0c678708b8b625234a3ac502e37940ad2992f

    • SHA256

      79aa4f0daf303b02bfcf0306e690378e050003e42c7c9d3e1bd5ad62fb2f3a21

    • SHA512

      fabd2f9dd6ff8887cde99c9ccb7c755722daed0e6d7d332e1811b7a4a0f10daaad3ab750fb90838fdcc8049bda49f0cb84283e007c48e54b117b4de41c321815

    • SSDEEP

      96:57GUaYNwCLuGFctpiKFlYJ8hH4RVHpwdEeY3kRlDr6dMqqyVgN838:Vygp3FcHi0xhYMR8dMqJVgN

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks