Overview

overview

10

Static

static

5

PO.exe

windows7-x64

10

PO.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bd9ce1da9383fcd791d60260c5121733aa7c3c7d0d8f0cf3d7abe458efb13e9e

  • Size

    850KB

  • Sample

    241202-n2j6fsykcn

  • MD5

    7dc15ddf38dd73669cace42df512551f

  • SHA1

    cbcd7bac86c77fa55096157089cc4b28a62bfb76

  • SHA256

    bd9ce1da9383fcd791d60260c5121733aa7c3c7d0d8f0cf3d7abe458efb13e9e

  • SHA512

    a92f36264aa05af12184e6806af170e200a7e71a5047785196368b0937cb9414d21e654f2354a783602c4052ad40113d2c9df311cbe74f8fba595813afed4ce5

  • SSDEEP

    12288:l5O/EdkFM5cUa8aqpJdLnYIrAo8ImGCrkc3uKmJG76ze/jJ2tEjlAOzKfT4elEov:wEdVl7LhbxCwAuKUG7frSZb4eXinXFlG

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.152:2559

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZFXG9Y

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      PO.exe

    • Size

      1.3MB

    • MD5

      e19a187bacda437dc6934bf96cc1aa59

    • SHA1

      784bcea3f13ab321cbeec1fa8a82841967390e33

    • SHA256

      9dbd5e48e3742c2214862708b61e371007e4af7c633f1b2ef355816a22b248e1

    • SHA512

      b2c2adfb60085bdf97ea414a8a05517785a0603806d617df17478ef1ef76cc738cac3dbc3537772cf50b5c0ddbe6d413eecc0324b5817831d318198c2a4bf825

    • SSDEEP

      24576:+u6J33O0c+JY5UZ+XC0kGso6FabQVXV5nCLwsxSn0s7uMSxs9I4RWY:Qu0c++OCvkGs9Fabi5CF0j7P9IJY

    Score
    10/10
    remcosremotehostdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks