Overview

overview

10

Static

static

3

New Inquiry.exe

windows7-x64

10

New Inquiry.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9637d5e3fdd07fe88d08a27d180b156e9eb8aad744b0b1195cd3595b73c0e575

  • Size

    892KB

  • Sample

    240912-x7xs6szgmm

  • MD5

    b2a02d209497e271ac67a2309fc26db2

  • SHA1

    af2f093be77b9502f65374e0e784e6efe5bb046e

  • SHA256

    9637d5e3fdd07fe88d08a27d180b156e9eb8aad744b0b1195cd3595b73c0e575

  • SHA512

    7852fa815324e3e3dd8fa2a10ced891717e2ab35369d75696c49d2b65ecd0b753a5e98dd78f0d789efcba1fe068da17b5d479a2162cc9a636e6b01385704ac69

  • SSDEEP

    24576:iJhLSG5QcArJEByN6KypbJNPeonoHVtxFqp0uTQnC3XN+qZapw:0hJe1rJmyRyp209p0uTQnCHXspw

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

198.46.174.158:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-130QB0

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      New Inquiry.exe

    • Size

      965KB

    • MD5

      d5c37d93192e0f422d5d137ec4aa2b8c

    • SHA1

      b7beeb30b007534621de8a6b3290cb5d1fbd1dec

    • SHA256

      92afc1bb9af8c414b7501e82e840f575d992ba24ff9b7abcce570bd056beec51

    • SHA512

      071b1c3a95096fa76231f61f33e0fdc95a4b7ee0e18d7256edac807219c83ffcaf540921cfa710a31a4728b80739dbcd1a93d31d70e95322d29b7dac52f506f9

    • SSDEEP

      24576:viwf65QYsrvEByN6wyNgMYQ2na5LN46w/APTUTQnuf7nk:meHrvmyRyY6hATQnufT

    Score
    10/10
    remcosremotehostdiscoveryexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks