Overview

overview

10

Static

static

3

Shipping D...df.exe

windows7-x64

10

Shipping D...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_a87c27d613d16ecdc66c26d338c834c9b721e544b702b00b8a0728806ff77086

  • Size

    510KB

  • Sample

    241221-12tq4s1pdl

  • MD5

    9746add01286c10ac4f833f73ccb507c

  • SHA1

    12011301ac0f90d4def52f997aab551349ccdbec

  • SHA256

    a87c27d613d16ecdc66c26d338c834c9b721e544b702b00b8a0728806ff77086

  • SHA512

    f6a710293435f914aa1c7926269aa180e20749ef64b602dcd3a8affec6a81928a87b4e4595e3c594d0b22d3036d8e5a4a0c22966432547292ad82b8d23e6ee1f

  • SSDEEP

    12288:+9DGG3qNXPcDsgGVqUN3p5JioHs0M38eQuqRYxLfvR8LTc+:+FZ3pDXGj3iE5GlG2HRe5

Score
10/10
remcosngozi2021discoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

2.7.2 Pro

Botnet

NGOZI2021

C2

favour2021.ddns.net:1990

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-EW6A42

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    wikipedia;solitaire;

Targets

    • Target

      Shipping Document PL& BL 00980 ,pdf.exe

    • Size

      902KB

    • MD5

      1a5c59aeb8ec99b73bc89056e63805c0

    • SHA1

      25602dcef8fb46b22e954f225483f3e3617a0261

    • SHA256

      3b1b352f3c4d0fe235b45d9db418e1e4155ab31265ee368ed646ac38071a2eda

    • SHA512

      a021ff6a08bf44ec06c8e884d2dca83eb161a86e8a8b638a19274e8900746a63a8219271f030c336eb3db61d8765da60a853a21785ef35ec4314f81bcd130a6c

    • SSDEEP

      12288:2HsJlkbMylWnvSx/KG3EaXZK2bq5RILVO1Y+LG9hSmfE:+eCQZvq939ZM5RIqYTm6

    Score
    10/10
    remcosngozi2021discoverypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • .NET Reactor proctector

      Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks