Overview

overview

10

Static

static

3

1 ORGANIZE...DF.exe

windows7-x64

10

1 ORGANIZE...DF.exe

windows10-2004-x64

10

msimg32.dll

windows7-x64

3

msimg32.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORGANIZER-MARY.zip

  • Size

    63.9MB

  • Sample

    240930-xsf7wavbpg

  • MD5

    efc63404c2cea8383d7ed6c158831500

  • SHA1

    f5b4b4e6949f5316c5726ff4d5ede05b1827b6a7

  • SHA256

    1ca69e236adf2ce4b3602f6e7328fdf75f9ca9b99abbc85bef1a034f97acb730

  • SHA512

    9be33a7bd6b0e4e74870af9b2229c152f207ff87d6a64d37e79c8170211857218377e5f4b011b558857273b48bb12da3450d694d9fcacbd0e8bef5ad03664bb2

  • SSDEEP

    1572864:NaSHRqgkyYVr99h5U8BhyxoKgO30T21I09OP74sgu/+aOe5ZcMzCVP7z:NaUcgkVpb5U8B5rxTE9OP3+Ve5S7zz

Score
10/10
remcosremotehostdiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

privmerkt.com:8922

nwemarkets.com:5552
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-TA78E3

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      1 ORGANIZER MARY 2023 COMPILED PDF.exe

    • Size

      6.1MB

    • MD5

      4864a55cff27f686023456a22371e790

    • SHA1

      6ed30c0371fe167d38411bfa6d720fcdcacc4f4c

    • SHA256

      08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2

    • SHA512

      4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb

    • SSDEEP

      98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz

    Score
    10/10
    remcosremotehostdiscoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

    • Target

      msimg32.dll

    • Size

      2.3MB

    • MD5

      1b9dd6d0ec099d3cef652a662cb3dbf5

    • SHA1

      60d53ecd48b32d7a3317dee7938465558910e975

    • SHA256

      b431a7291da03060abacbfe81f2b203d36190dbc15c775ea75b5a1192d48559c

    • SHA512

      4c257deb92509929db801359dcf1317865deb5d705f8e73b56efa885d105db6dfe3b257086f0f879ade9b1f85af872e59c077624355abe16d86ebe7ac82dbeef

    • SSDEEP

      49152:869FikjsYvjmNaMTuF2leBiDw0uLsD4Tht:l9sYvjRYDw0is0Tht

    Score
    10/10
    discoveryremcosremotehostpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Adds Run key to start application

      persistence
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks