Overview

overview

10

Static

static

1

Елект...я.exe

windows7-x64

10

Елект...я.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    20122024_0026_oschadbank_pay_19-12-24-00238323455.7z

  • Size

    1.2MB

  • Sample

    241220-arax5svmcp

  • MD5

    dc17bc83518d859e936b10848d2574c1

  • SHA1

    2a27685cde943079168069c04752482828e590eb

  • SHA256

    fe7b7a9ec25874fff98dbdb57dfc59d9e88823df96aac5c5c6425d659360fea9

  • SHA512

    7b64ca2c0048a33d92b5c397ea5d31fb449915dc57fbd7e4c348299b85272c51c8661af426b5463cb54960868f44e9359a7721ebcd9e24bda6f69dc222e8caee

  • SSDEEP

    24576:D68e1qiYt6Sc4aHeHi0e9i3x01Qygw4dAxOLl9s531lLfz1PS:W8Rd6ScWb48xuQu4dyIu33zzE

Score
10/10
remcoshost_onediscoveryrat

Malware Config

Extracted

Family

remcos

Botnet

host_one

C2

101.99.75.173:22

101.99.75.173:80

101.99.75.173:5432

101.99.75.173:3306

101.99.75.173:55555
Attributes
  • audio_folder

    ??????????? ??????

  • audio_path

    ApplicationPath

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    6C@=0;K.dat

  • keylog_flag

    false

  • keylog_folder

    key

  • mouse_option

    false

  • mutex

    ???-62U21F

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    ?????????

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Електронне платіжне доручення.exe

    • Size

      1.3MB

    • MD5

      ada3c3c6301b67daa99a09c65d93e0b4

    • SHA1

      f2caa797fba73b53637dab45ddc4aefe36dc8fd3

    • SHA256

      d3f253244f5298f184a93f33f9d58823e676d1a2e9253f0e2cc85912544f2fff

    • SHA512

      65142861430847fb588930532d32416c2d466d69937037ceac7f72c1a5c531109c9fa3d18088164c75e3b7a96b0ccf8b4cc767907f542c26a0a2782b4b5a3390

    • SSDEEP

      24576:MebHcAT/WwS275kpc4gIDTFyIt+nbhjQRJGtlz2BQFVUaQLEZM9S+pQkyf:t/WDS5FIbt+nbhcAJyQEZsvWQBf

    Score
    10/10
    remcoshost_onediscoveryrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

      discovery
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks