Overview

overview

10

Static

static

5

obax.exe

windows7-x64

10

obax.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e82b61f4de99bd8bc63202a52945726ff8dd14b0fd7b60a2c0b6f4f87d3974fe

  • Size

    817KB

  • Sample

    241127-p7vptatrbs

  • MD5

    f508b51fbf8cba46c51f3efb430eef41

  • SHA1

    303b1f8d5863b6ece9b645187c79e5bf75d7d881

  • SHA256

    e82b61f4de99bd8bc63202a52945726ff8dd14b0fd7b60a2c0b6f4f87d3974fe

  • SHA512

    4bdb68c705358c6c2fa5c4e6396b2eafd3f7b23b7756528a096fe2b043d83b7fb663af9b2d386c9d0b4c971289b5ab3e3541e4aba4349dbfe5e579dd6fa3cf23

  • SSDEEP

    12288:wPSWaYk6i35o/mBuyKU9dKirX/zW2g7U1b+0LYwzLnwOPT173DafKK8oZzhC4:wKWaY03nsc9bsAqcp7b17GfKt4

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.152:2559

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZFXG9Y

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      obax.exe

    • Size

      1.3MB

    • MD5

      9fc81fa529ddcecfeb3d155f77320d62

    • SHA1

      50c9e3d1e66afc0bccf61db4be597d0c566ead54

    • SHA256

      1468bc256c278d1cb79771e2ab7a44f63f05ce2bc48746d6c2f069b1125593ec

    • SHA512

      62fb3f252da77dd4357bad5bdb855218860aa66f99f83d55b02bddc25f2b3f706f684170331898fcbb976747f6f3c7dbbe227c3a9ed093ef0f5a31ef55e17b64

    • SSDEEP

      24576:etb20pkaCqT5TBWgNQ7aTwifkAN443Vfx6A:LVg5tQ7aTwO5/v5

    Score
    10/10
    remcosremotehostdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks