Overview

overview

10

Static

static

1

Smple_Orde...45.xls

windows7-x64

10

Smple_Orde...45.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Smple_Order-048576744759475945.xls

  • Size

    1.1MB

  • Sample

    241217-m8h2asxpgs

  • MD5

    df946e734bca37e4eaf06978a0b95ef1

  • SHA1

    c06f8ddc7d5cb1030c516286bd0a660502cbbe35

  • SHA256

    7fb0d13c333aef86316da1494da234eade3b8db44fddd27affc38bae40614744

  • SHA512

    e9dd9266c4dc5721b47d1d4de0e1525482cbec8330e5003f0444d940c99380efae89f7424d709e7aac4962e2541d84b06c1fb7d4686e0949a852e83b39d5dc96

  • SSDEEP

    12288:qymzHJEUiOIBUzMTSgD3DERnLRmF8DrEPTxpsAQx1Zj+j+EPebSA5YiA76UdKX/E:4BaRbARM8+D8Z+jJC50YrNPkly4h

Score
10/10
remcoselvisdefense_evasiondiscoveryexecutionphishingrat

Malware Config

Extracted

Family

remcos

Botnet

elvis

C2

107.173.4.16:2560

Attributes
  • audio_folder

    MicRecords

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-GJDISH

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Smple_Order-048576744759475945.xls

    • Size

      1.1MB

    • MD5

      df946e734bca37e4eaf06978a0b95ef1

    • SHA1

      c06f8ddc7d5cb1030c516286bd0a660502cbbe35

    • SHA256

      7fb0d13c333aef86316da1494da234eade3b8db44fddd27affc38bae40614744

    • SHA512

      e9dd9266c4dc5721b47d1d4de0e1525482cbec8330e5003f0444d940c99380efae89f7424d709e7aac4962e2541d84b06c1fb7d4686e0949a852e83b39d5dc96

    • SSDEEP

      12288:qymzHJEUiOIBUzMTSgD3DERnLRmF8DrEPTxpsAQx1Zj+j+EPebSA5YiA76UdKX/E:4BaRbARM8+D8Z+jJC50YrNPkly4h

    Score
    10/10
    remcoselvisdefense_evasiondiscoveryexecutionphishingrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Evasion via Device Credential Deployment

      defense_evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks