Overview

overview

10

Static

static

10

unknown.exe

windows7-x64

10

unknown.exe

windows10-2004-x64

10

out.exe

windows7-x64

1

out.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    unknown.exe

  • Size

    38KB

  • Sample

    240921-bjfzvsxhnf

  • MD5

    66c49b26cf4da200e05a814cedfc3e83

  • SHA1

    b211205b3a1cc3219e0c877ee44e913aa05a1f5c

  • SHA256

    d1f85945fa3f402202ed31fc7322c3328676a1d609fc9c17ee3a3cb6a49aa5fb

  • SHA512

    00208831a6c7583106f08cccc496fd02e7ff4260a2fca1dea4f619878b2179e9fe39cc59d45903efb20914d1cb242a8deac26c83e73e9b1b6823dd52ac759416

  • SSDEEP

    768:E2nsAHG6hbA/RzFxRXmVIjfHI/JfLQT4r1:EYTdm3RXKofyR+4r

Score
10/10
remcoshostdiscoverypersistenceratupx

Malware Config

Extracted

Family

remcos

Version

1.7.3 Pro

Botnet

Host

C2

remcos2.legacyrealestateadvisors.net:30042

remcos.legacyrealestateadvisors.net:30041
Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    AudioHD.exe

  • copy_folder

    AudioHD

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %ProgramFiles%

  • keylog_crypt

    false

  • keylog_file

    Drivers.dat

  • keylog_flag

    false

  • keylog_folder

    AudioHD

  • keylog_path

    %ProgramFiles%

  • mouse_option

    false

  • mutex

    KJSBIuibidbiwee-ZJFN94

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    AudioHD

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      unknown.exe

    • Size

      38KB

    • MD5

      66c49b26cf4da200e05a814cedfc3e83

    • SHA1

      b211205b3a1cc3219e0c877ee44e913aa05a1f5c

    • SHA256

      d1f85945fa3f402202ed31fc7322c3328676a1d609fc9c17ee3a3cb6a49aa5fb

    • SHA512

      00208831a6c7583106f08cccc496fd02e7ff4260a2fca1dea4f619878b2179e9fe39cc59d45903efb20914d1cb242a8deac26c83e73e9b1b6823dd52ac759416

    • SSDEEP

      768:E2nsAHG6hbA/RzFxRXmVIjfHI/JfLQT4r1:EYTdm3RXKofyR+4r

    Score
    10/10
    remcoshostdiscoverypersistenceratupx

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      out.upx

    • Size

      100KB

    • MD5

      4e0c8c4e334e90070e637c151d60cffd

    • SHA1

      c3b10a6ca689e6fe8bee14ed2f91e6c993069849

    • SHA256

      cb4fb104f4701553c532a8bd1335eb600d56c263d67214e1f251b5f49d5b8010

    • SHA512

      7c1e5dc3d75d3ecf3e9649516c69d1a9a88f0e79d0537cc3106fbd6590fdf6010144dd790ba760ebeef8220d3c272291b5d930920c68f3ff2e7f4d4aef293398

    • SSDEEP

      3072:Ms7bVK/5D/boVCbgsc1ooOTRXIqxFs2FbgXNDRTOr:t7bVK/Vo8mzOTRXIqxJFMXNDRTe

    Score
    10/10
    remcosdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks