Overview

overview

10

Static

static

1

dab79a6a11...fb.exe

windows7-x64

3

dab79a6a11...fb.exe

windows10-2004-x64

10

Respektlsestes.ps1

windows7-x64

3

Respektlsestes.ps1

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dab79a6a1178db25ff7368d7d053171539f737c246a02549be64cd7f2f36dffb.exe

  • Size

    767KB

  • Sample

    250217-ez17hszpdy

  • MD5

    3cdf02f1e4f157615d752fb63eb1d073

  • SHA1

    66c1220e48da186f6f94f0107ec8449878c3b873

  • SHA256

    dab79a6a1178db25ff7368d7d053171539f737c246a02549be64cd7f2f36dffb

  • SHA512

    a800fb8c50116397af66f4181ff8fbde8e04ccff103c34b860c92801ac68e2e26bf9be1866dae6554787c6b97310b8969741a78f9ee5ec9d74ed71b28817a8ed

  • SSDEEP

    12288:SGYEBUTGfcYjgCqOBHh02/24NCR9fQ9lyAjaGV+68L4jQ03eo8EeV+68L1lfHphf:zYi6GTj5TJN6Y9l9WDiQSesL1lfJhf

Score
10/10
remcoshoraydiscoveryexecutionpersistencerat

Malware Config

Extracted

Family

remcos

Botnet

Horay

C2

halelgeeh8iugoty1.duckdns.org:8347

halelgeeh8iugoty1.duckdns.org:37830

halelgeeh8iugoty2.duckdns.org:8347

halelgeeh8iugoty3.duckdns.org:8347

halelgeeh8iugoty4.duckdns.org:8347
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    gbirtup.dat

  • keylog_flag

    false

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    hnsoetuise-SUOTS6

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      dab79a6a1178db25ff7368d7d053171539f737c246a02549be64cd7f2f36dffb.exe

    • Size

      767KB

    • MD5

      3cdf02f1e4f157615d752fb63eb1d073

    • SHA1

      66c1220e48da186f6f94f0107ec8449878c3b873

    • SHA256

      dab79a6a1178db25ff7368d7d053171539f737c246a02549be64cd7f2f36dffb

    • SHA512

      a800fb8c50116397af66f4181ff8fbde8e04ccff103c34b860c92801ac68e2e26bf9be1866dae6554787c6b97310b8969741a78f9ee5ec9d74ed71b28817a8ed

    • SSDEEP

      12288:SGYEBUTGfcYjgCqOBHh02/24NCR9fQ9lyAjaGV+68L4jQ03eo8EeV+68L1lfHphf:zYi6GTj5TJN6Y9l9WDiQSesL1lfJhf

    Score
    10/10
    discoveryexecutionremcoshoraypersistencerat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Downloads MZ/PE file

    • Adds Run key to start application

      persistence

    • Blocklisted process makes network request

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

    • Target

      Respektlsestes.Ves

    • Size

      51KB

    • MD5

      f177e247c8beadd6e0762493d8e9fe79

    • SHA1

      008d26170d63c58d17695dfa8196e4ce8feb920a

    • SHA256

      825dc4cae1f45f17dc54bd1ec82d890b8266691b5fad32e7882fc8dc6bc2c71b

    • SHA512

      fa9a9a02bcb1d2725b228aea9a8141536578b9cf023b81c2df9a58e1e046f83314f85bb74dca5bd9c0a6ac6cbaad5d74269ae5efa2b15925609fe51308b81884

    • SSDEEP

      1536:3SUTaGUqdmQ8RJETuiBhBzcS6amUmRHYi:iUDQR0bBhCCSH7

    Score
    8/10
    executiondiscoverypersistence

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks