Overview

overview

10

Static

static

1

ORDER#7367...67.exe

windows7-x64

8

ORDER#7367...67.exe

windows10-2004-x64

10

Tanagridae.ps1

windows7-x64

3

Tanagridae.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ORDER#73672-MAT37367.exe

  • Size

    769KB

  • Sample

    241109-j3aaes1djg

  • MD5

    a22056e4a371b6512e3715adccd24fab

  • SHA1

    5cad41352de9e2c9db06dc8a7f4d079810f63ee3

  • SHA256

    8b1fcad83099e1daf3accdb39f68a0bd696b053aadc8472e9008fd027a390404

  • SHA512

    fc69f64e04a49293a3d14e7923f4bd50ea0c953ca6aa8c5b0bcdc4391296b01cab8cff9399c91efcd0093218c47a17cedbf57fcfd23c55deeb4324ee0ea221ff

  • SSDEEP

    24576:SMwhYwlRZjfxAyExC8Zx0PARxFWfcFqal/F4X5ZiJ:SMwhNlR5xAFZq+WfQiX5i

Score
10/10
remcos.9.24discoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

.9.24

C2

moniepont.dynamic-dns.net:3791

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-BPYLMJ

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ORDER#73672-MAT37367.exe

    • Size

      769KB

    • MD5

      a22056e4a371b6512e3715adccd24fab

    • SHA1

      5cad41352de9e2c9db06dc8a7f4d079810f63ee3

    • SHA256

      8b1fcad83099e1daf3accdb39f68a0bd696b053aadc8472e9008fd027a390404

    • SHA512

      fc69f64e04a49293a3d14e7923f4bd50ea0c953ca6aa8c5b0bcdc4391296b01cab8cff9399c91efcd0093218c47a17cedbf57fcfd23c55deeb4324ee0ea221ff

    • SSDEEP

      24576:SMwhYwlRZjfxAyExC8Zx0PARxFWfcFqal/F4X5ZiJ:SMwhNlR5xAFZq+WfQiX5i

    Score
    10/10
    discoveryexecutionremcos.9.24rat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Blocklisted process makes network request

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Tanagridae.Und

    • Size

      54KB

    • MD5

      5cdf5b58154999b80a32463e8a0f0c22

    • SHA1

      03b1039573b18a3b4041b976b35116bbadf9975b

    • SHA256

      a288fd3f4f312e6764564eea8fe56bdd1abcbfc4c995e2c2c5d0d784bc8f08da

    • SHA512

      4ee3143f95ea7e412e4aa686d6b7da42af52203551f9bec46f252cba19f6ff030a3c3fd2170ae7f7fe6ebac8163df6a226a113106d57b6b090b507b8110808c9

    • SSDEEP

      1536:x9BV78dYnBxVubZS2L3GIlxh/ORzQmpoqGHs:x1wiXVu11l67oqGM

    Score
    8/10
    executionpersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks