Overview

overview

10

Static

static

3

TNT invoic...4 .exe

windows7-x64

10

TNT invoic...4 .exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a72d8b61eaf5eb63dbf71fd2fdb64d2f51c0f9c9381ffff75c0aea44fafb6693

  • Size

    839KB

  • Sample

    240926-jrpkzayekh

  • MD5

    d438c20bfb5e619266a8934030086656

  • SHA1

    21994c90738a211ab4a5b5731c07073738d65dbb

  • SHA256

    a72d8b61eaf5eb63dbf71fd2fdb64d2f51c0f9c9381ffff75c0aea44fafb6693

  • SHA512

    fd8fa21cd653fe44a580611061c7c321b6a9e866f7e069b9c3e90d95e09566a6a50a322f4dcca524435cbce84864c123ee7c6017221da2fe2e154ca997ba3bfb

  • SSDEEP

    24576:Jm28ye+LgKsS/0CDWB5xFTLEtdikg8I9iDRcA:iy5g7QqxF/Eukg8I9AR1

Score
10/10
remcosirndiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

IRN

C2

irnserv1.ddns.net:4424

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-CA8761

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      TNT invoice 9.26.2024 .exe

    • Size

      881KB

    • MD5

      7afd5be4b77090388ddecb8169cf0bc3

    • SHA1

      d3b6ba2e53aed1471c12196c577b7be56d14cf2f

    • SHA256

      68a4b0d743c427d59d076376e5c3a131ee7ab29cdc959b8872735c06b70b7036

    • SHA512

      2f16fce3f75bce88c79286f41010d76691fe0fab37c4fad814867b819c60c81fe4dff17ad722952cc6c7a7d99aaec75d51d2fd16350babb8d3388e11d2236a06

    • SSDEEP

      24576:VE8AE9lxicGLP0CDyB/1FNlUcDos713jb:VExsxiTVe1F/UcDosVb

    Score
    10/10
    remcosirndiscoveryexecutionpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks