Overview

overview

10

Static

static

3

New Order xls.exe

windows7-x64

10

New Order xls.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_437cb3ec242f9cfb0c579d68d192c034d54b8c7d976eecb6c48d0535d12308ba

  • Size

    1.0MB

  • Sample

    241225-hxd6ra1khq

  • MD5

    62d53156eda05a0ad11b9a6385dfca61

  • SHA1

    b7e3a4db44714d9e24f49f1b56b934c2a5ce4579

  • SHA256

    437cb3ec242f9cfb0c579d68d192c034d54b8c7d976eecb6c48d0535d12308ba

  • SHA512

    cf1e126b54cf776aba3669d2fdd015f694293147e18dd251440ab051986f5e753f4d396745a6f40b87b291f210ea80698a42ffae70c0f3bbabd2ed06380009b1

  • SSDEEP

    12288:S8YvIiL+JXIcZlHa9Xyin6OwO0BD5LdPebIt5f2H02VIu4+CG6MkULqkqqGNmRN2:jd5nc9iR7ZQIzf2H0IxXmkP3+LAk6w

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Version

3.3.2 Pro

Botnet

RemoteHost

C2

azuite.ddns.net:7667

Attributes
  • audio_folder

    MicRecords

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    stub1-LT34V5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

  • take_screenshot_title

    notepad;solitaire;

Targets

    • Target

      New Order xls.exe

    • Size

      1.1MB

    • MD5

      4ab071bd0b8d7a699ef70fe29919fc95

    • SHA1

      66bf5bcc31d5e443409671d855730f766e06dcb7

    • SHA256

      38724091a495f134db5f215994dade2f44822dee3408a13e360024a447cc0fa0

    • SHA512

      81e0cc4fc3ffe7abfd3e9c005bb9e9ce4262b4b9020e2e08b8a8735604e8d937bf6fc41c5f41553c8ed9e06bb562947105d2e65fc93cbb12aab6fa05ce170189

    • SSDEEP

      24576:jToVBBGp/W/96XefN7YK4Fh8/ijMQUG5Oa65gepqnbRJ:jToFE/hcYKqKim95geIbRJ

    Score
    10/10
    remcosremotehostdiscoveryexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks