Overview

overview

10

Static

static

3

ae5f2c9942...72.exe

windows7-x64

5

ae5f2c9942...72.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372

  • Size

    372KB

  • Sample

    250330-zlt69sypz7

  • MD5

    19937ad01f3fc2fe28941feb4c110ee8

  • SHA1

    46376eb5c9f27d82a7a43d7eca08553b18d72e60

  • SHA256

    ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372

  • SHA512

    d547496f9f7e520f3b558fc0e918ebe1ee384084aa4d9c849c28fc097697017ce4753d1a1a2957d4f99511ab90415f9b0017931267cc82120aa46151355ba782

  • SSDEEP

    6144:tqdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiKu:tAqQx+H2i+8LBNbdypazCXY8

Score
10/10
remcostinodiscoverypersistencerat

Malware Config

Extracted

Family

remcos

Version

2.4.3 Pro

Botnet

TINo

C2

185.140.53.140:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    true

  • hide_file

    false

  • hide_keylog_file

    true

  • install_flag

    true

  • install_path

    %AppData%

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    Remcos-5S9O07

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372

    • Size

      372KB

    • MD5

      19937ad01f3fc2fe28941feb4c110ee8

    • SHA1

      46376eb5c9f27d82a7a43d7eca08553b18d72e60

    • SHA256

      ae5f2c9942b61b2f7282dd970e410f373e8cf50429c19dc7da38080513b5c372

    • SHA512

      d547496f9f7e520f3b558fc0e918ebe1ee384084aa4d9c849c28fc097697017ce4753d1a1a2957d4f99511ab90415f9b0017931267cc82120aa46151355ba782

    • SSDEEP

      6144:tqdgUkQx+HXGidCzj8LBb8Rw5Jdypyf6aCXYfhiKu:tAqQx+H2i+8LBNbdypazCXY8

    Score
    10/10
    discoveryremcostinopersistencerat

    • Modifies WinLogon for persistence

      persistence

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Modifies WinLogon

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.