Overview

overview

10

Static

static

3

Account Le...25.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    07042025_1506_07022025_Account Ledger_2025.rar

  • Size

    521KB

  • Sample

    250407-sgykkatsct

  • MD5

    2a503851d76d571e69d1b4ca3f4eb9dc

  • SHA1

    80e3497fac5643193aa78b52b7066977420aea1f

  • SHA256

    dc2f3f1950203532dc9f60c87355ba8d2706a107beaa95e9aa541764adfe029d

  • SHA512

    cb12b0e09babdf93812c213948f6af438817c29062fc34dd84dd73b7bab140232897a96e1f3f8f76ed275edb8440903c608c43db6656436876d1fd690a6892f4

  • SSDEEP

    12288:XtaoCtP7AbX1tYfQym1zT1WrQ8KsRq6V5FeBKj:XAoCYX1tYm1/y3KsRPIcj

Score
10/10
remcosothersdiscoveryexecutionrat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

others

C2

othersinr.duckdns.org:24041

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %AppData%

  • keylog_crypt

    false

  • keylog_file

    odds.dat

  • keylog_flag

    false

  • keylog_folder

    odas

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_gtokgevvym

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      Account Ledger_2025.exe

    • Size

      700KB

    • MD5

      ea0db1fa16704401139cf2da3f30b93c

    • SHA1

      ed294f2e545aee8e70cac971e870605d4438dfb9

    • SHA256

      dec84002b392f2f1cca8cc17540835756b9dc5ba63ed8bc56efe0c56a78b22fc

    • SHA512

      c52901311adaf13061d288db1700b3542b7f7672cc0d38921876fb6b2690716fbb19958e96c4430297567f749fc3edb7a114e9550e5f94c862377b2c4ecbcd50

    • SSDEEP

      12288:rlTT+PfLmuxTFgDA/mdgXKgESuV+y7qxbHvB325tV8B6slRIp4vHHEAmD:ZTiPjmuxBg0+gxhugRZHMnfsRG4vn

    Score
    10/10
    remcosothersdiscoveryexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks