Overview

overview

10

Static

static

1

a681f4e8af...f8.exe

windows7-x64

8

a681f4e8af...f8.exe

windows10-2004-x64

10

$_8_/Ricke...ox.ps1

windows7-x64

3

$_8_/Ricke...ox.ps1

windows10-2004-x64

8

$_8_/nsis.ps1

windows7-x64

3

$_8_/nsis.ps1

windows10-2004-x64

3

$_8_/powershell.ps1

windows7-x64

3

$_8_/powershell.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a681f4e8aff080bfbfeead57c1d44c7dc4165fe18fb72f3e22cea7b7e06a44f8.exe

  • Size

    1.9MB

  • Sample

    241109-dwjydsyqbr

  • MD5

    9e2bb9641df1f89ec932ce2ecf61bbf0

  • SHA1

    3067d1088a5d90fa870ad97b9eaa778c25a6eb67

  • SHA256

    a681f4e8aff080bfbfeead57c1d44c7dc4165fe18fb72f3e22cea7b7e06a44f8

  • SHA512

    cf6dfe990d769f83d0399d075353684daebf3a0fb992d38233e2547056419f86ca8db852bc269d775e47f8a71144f04d2ed8ce3ca4391077fc63cfb8a4ebc1b6

  • SSDEEP

    49152:2s1VyT2ZuEaGmRt6jQf1Xgy8xDZBQq1ryC01BeLE/5:jV9aGFcf1XF86qaSc

Score
10/10
remcosvoirhdiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

voirH

C2

hopitaldewigle.com:443

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    leeeeeeees.dat

  • keylog_flag

    false

  • mouse_option

    false

  • mutex

    Rmc-JJTRIQ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      a681f4e8aff080bfbfeead57c1d44c7dc4165fe18fb72f3e22cea7b7e06a44f8.exe

    • Size

      1.9MB

    • MD5

      9e2bb9641df1f89ec932ce2ecf61bbf0

    • SHA1

      3067d1088a5d90fa870ad97b9eaa778c25a6eb67

    • SHA256

      a681f4e8aff080bfbfeead57c1d44c7dc4165fe18fb72f3e22cea7b7e06a44f8

    • SHA512

      cf6dfe990d769f83d0399d075353684daebf3a0fb992d38233e2547056419f86ca8db852bc269d775e47f8a71144f04d2ed8ce3ca4391077fc63cfb8a4ebc1b6

    • SSDEEP

      49152:2s1VyT2ZuEaGmRt6jQf1Xgy8xDZBQq1ryC01BeLE/5:jV9aGFcf1XF86qaSc

    Score
    10/10
    discoveryexecutionremcosvoirhpersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      $_8_/Rickettsialpox.Smk

    • Size

      50KB

    • MD5

      7ddef591261053bd7fac766023859e2d

    • SHA1

      db5c60aa8f81599094f85eee67a47b12d4404c36

    • SHA256

      e84d88ddf388bd9de757eca740cd8ad6fdbb0e84b83de05074300a368cd397f6

    • SHA512

      0da27755fbe80c98b2bf5db1e7555b4cd7366f0804e0df8be343b2b4ab4256fb0e1e44bf4f5eaca9b4e4e5bc02121f6880437c30f4fbfda41ec04508773951f6

    • SSDEEP

      768:e9wSywMc0WWm6zNVoc0YTGv8lVw6C17NauD2J6tZDF7Uras+aH5Ox/ppQUJ6Z:MwBz9NV5ltVwNauD2JcDFSa+HMlpaJ

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

    • Target

      $_8_/nsis.nsi

    • Size

      12KB

    • MD5

      fbbe6daf9579e702210ba6de2164075b

    • SHA1

      767c810a49dd318029a486ffc2e8526db9f41d89

    • SHA256

      d21c90d86eb566d7f9a774136fb3eb7169927a613832cf71ec683e57a82fbf8b

    • SHA512

      93106fff5c136aba491760fe1018fc8b1fc21fbbd05d75224d0f8c2e336a5e2fe58418c9ecdf99ad9fb4f777daf8b7fa2ded9afdf55f9bb769a5ec98f93755a1

    • SSDEEP

      192:293x9uKXh2UMBIxyo5fTWwZExRHPlk+CQOHwtDfRWLpiKDNS5EzA/5X+:2jHhMSyCfTRoRHP5CtQtkLpiKDNS+zAA

    Score
    3/10
    execution
    behavioral5behavioral6

    • Target

      $_8_/powershell.ps1

    • Size

      50KB

    • MD5

      7ddef591261053bd7fac766023859e2d

    • SHA1

      db5c60aa8f81599094f85eee67a47b12d4404c36

    • SHA256

      e84d88ddf388bd9de757eca740cd8ad6fdbb0e84b83de05074300a368cd397f6

    • SHA512

      0da27755fbe80c98b2bf5db1e7555b4cd7366f0804e0df8be343b2b4ab4256fb0e1e44bf4f5eaca9b4e4e5bc02121f6880437c30f4fbfda41ec04508773951f6

    • SSDEEP

      768:e9wSywMc0WWm6zNVoc0YTGv8lVw6C17NauD2J6tZDF7Uras+aH5Ox/ppQUJ6Z:MwBz9NV5ltVwNauD2JcDFSa+HMlpaJ

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral7behavioral8

MITRE ATT&CK Enterprise v15

Tasks