Overview

overview

10

Static

static

5

RFQ00126345.exe

windows7-x64

10

RFQ00126345.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    021950e9f748c8d7309ec7044b17ad6a05870b7978699dbbbbc226fd1a250914

  • Size

    838KB

  • Sample

    241216-er95fsvndq

  • MD5

    e2e3d54a261355c64986c8c1524eabde

  • SHA1

    9311ec4883575e7458b7704062f48a6733ab97be

  • SHA256

    021950e9f748c8d7309ec7044b17ad6a05870b7978699dbbbbc226fd1a250914

  • SHA512

    8c311969da0ee7e597db17a9439e77ac0f36555e2a422550d32e040a6da79a50b65b9f1439296ac36395db7bbd31492448401b05c18f9970821622dbe68e0d03

  • SSDEEP

    24576:B3PEQnHfpYuYPqGFZzYm7CMucuvThEz9V0:ZxYl5bzb5uceCD0

Score
10/10
remcosremotehostdiscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.64.152:2559

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-ZFXG9Y

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RFQ00126345.exe

    • Size

      1.3MB

    • MD5

      5f38edf8c588efd365f6c82c92d5f0f6

    • SHA1

      6f8ec411858b7410a22401f6c9d6a2a5c45aaa9b

    • SHA256

      d51b3625115680dc3d6e0f5881f914f0373a277e2ef2ec56c88c3f45de997877

    • SHA512

      7bc7886d3c81421d6d9cdc1cf4ee3af5fea572de578fbc8c42509129b37716de7552e3147a3ac84261c463fe79fb60511eff18d45c3bc3d411905c22389028ef

    • SSDEEP

      24576:Cu6J33O0c+JY5UZ+XC0kGso6FapubMGC8db/ZOid2MNTosdIIDnWY:ku0c++OCvkGs9FapCX0yTnyY

    Score
    10/10
    remcosremotehostdiscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks