Overview

overview

10

Static

static

3

QUOTE #467...CS.exe

windows7-x64

8

QUOTE #467...CS.exe

windows10-2004-x64

10

Chine/Aake.ps1

windows7-x64

3

Chine/Aake.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2abc2455ec5795cd794874db139f19099abca584de370801aa95bb51c7814245

  • Size

    775KB

  • Sample

    241020-24e66svhqg

  • MD5

    70881e8249af0fc9c611551f6cb46d21

  • SHA1

    ed05d29d1126a8b1a8e5f543f36be540542da640

  • SHA256

    2abc2455ec5795cd794874db139f19099abca584de370801aa95bb51c7814245

  • SHA512

    e0288c4d477dd46887db9bb52b4321aa53300e4b61f234ecfa8bd2b60f33c7c56db3edb5a4847ff8f7cb6b3c94d92894e6525599decf9e7c9e18f811eaca3e61

  • SSDEEP

    12288:GjPx+xDtJp1AynIDTO5i/em+Yc4O/xT5IqsEHnzkenxrTuINFhcNmJYiy5v:S567ETO5i/eLYc1pdjfnzkaxr8fiE

Score
10/10
remcosoctoberdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

OCTOBER

C2

windowxpjoke.duckdns.org:24044

84.38.132.104:1985
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    explorre

  • copy_folder

    explorre

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-OAEVAI

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      QUOTE #46789-OCT24_JAMEELA TRD LLCS.bat

    • Size

      836KB

    • MD5

      837843cbc8249c71125a2113d1acd71f

    • SHA1

      aa80a680576261190000a9b6c113b4bcef1d8728

    • SHA256

      ec8356a9908aad8b184033c27bc7c94a8332a5c16371d72442a49a86669e57e5

    • SHA512

      2059553ac3c08d5d389c513242a3ee40ea176027c38d25e6d3e3aa6b7349fdf81405da8b453a0107fd1aa3a7435d7209655338ddb51ce4bb1ccb38786485ce4a

    • SSDEEP

      12288:XjWxDtrp10yzIDrOXive++gc4c/xF5IqsEHnz2InxJTuINvhUNmvIiyC7:XjmHErOXiveDgclpDjfnz2gxJKlil

    Score
    10/10
    discoveryexecutionremcosoctoberrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Chine/Aake.omr

    • Size

      52KB

    • MD5

      76c2e06efc11f956e4e7a6aad633f3b7

    • SHA1

      ac79ab670ddb7874b259d2f0ff5c5283c5ff90ee

    • SHA256

      cfbc27159dd8a2ce54dce1125e0cdc2dc27db461e355ad318cefd1f37a452898

    • SHA512

      b8582f6559ad0f642a000bf1c7be68c537ef9bc206ee9de0c4da70614d176e11e34b2fba607f6c33942b5200f518c24d04e43957b57c9c09c8aceaecf0f1050b

    • SSDEEP

      1536:Teu79baJtMuj3hg9oYfrAC8RtDKUiPkJJWOU:CEzoM98bOHGJVU

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks