Overview

overview

10

Static

static

1

RFx6200306...PDF.js

windows10-2004-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    RFx6200306423-RRP21-0380-PDF.JS

  • Size

    1.5MB

  • Sample

    250520-xttvcsbk7x

  • MD5

    06ad3b34bb91b075be86e2c02525f428

  • SHA1

    42beaa51e76a96500413f2263ff2d2f52c0e3fda

  • SHA256

    544d1d3e2717f0f78c332cb3b1e234c5a6dabd2a4aff547aff382d1e802bfdcf

  • SHA512

    74e6bd950735d322ac6cd2a63656677577b53036217825e0c9d7920414aca174cf25e9a406bc3714a850a2aae5e2018f3bc568101a253bbd722d1599c3abad2d

  • SSDEEP

    768:a/YLCQQEhUOdEXf57D3alcCMB4VZJ0vxWHZ/Fwbm+SW5KhSlaaXhXmQZy1n:0rBPw3zQdQn

Score
10/10
remcosremotehostdiscoveryexecutionrat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://webmail.aruba.it/smart/cgi-bin/ajaxfile?ACT_FIL_DL=1&PUBLICUID=@1.VFMxM0RLUmlpak5VUCt4RkdEU3luR3VzRmxneHAzUStkTzBJZythWmhBYUx6djNYVzBsV1NFYVlDNmp5b3NwMA==
exe.dropper

https://webmail.aruba.it/smart/cgi-bin/ajaxfile?ACT_FIL_DL=1&PUBLICUID=@1.VFMxM0RLUmlpak5VUCt4RkdEU3luR3VzRmxneHAzUStkTzBJZythWmhBYUx6djNYVzBsV1NFYVlDNmp5b3NwMA==

Extracted

Family

remcos

Botnet

RemoteHost

C2

enermax-com.cc:2404

flexiplast.cc:2404

truelifemed.cam:2404
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-83I10F

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      RFx6200306423-RRP21-0380-PDF.JS

    • Size

      1.5MB

    • MD5

      06ad3b34bb91b075be86e2c02525f428

    • SHA1

      42beaa51e76a96500413f2263ff2d2f52c0e3fda

    • SHA256

      544d1d3e2717f0f78c332cb3b1e234c5a6dabd2a4aff547aff382d1e802bfdcf

    • SHA512

      74e6bd950735d322ac6cd2a63656677577b53036217825e0c9d7920414aca174cf25e9a406bc3714a850a2aae5e2018f3bc568101a253bbd722d1599c3abad2d

    • SSDEEP

      768:a/YLCQQEhUOdEXf57D3alcCMB4VZJ0vxWHZ/Fwbm+SW5KhSlaaXhXmQZy1n:0rBPw3zQdQn

    Score
    10/10
    remcosremotehostdiscoveryexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Remcos family

      remcos

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v16

Tasks