Overview

overview

10

Static

static

1

559122ff10...bb.xls

windows7-x64

10

559122ff10...bb.xls

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    93728a4082d57c877a1d0ece7c233e42.bin

  • Size

    422KB

  • Sample

    240705-c22jyssgnc

  • MD5

    4a55959b859620c702fbe684bf34b0b3

  • SHA1

    90f5e0749ca70b9c8371161992ba4d850a987d4d

  • SHA256

    1e7393ab4551dea0a8a01384374c9706962a0da43d41b06c02885b76505d5e08

  • SHA512

    30c9754eab86487cf575095f6011c3a4f99388503532fb23c766706e4a95d26c551b8dfebf4013f6a64da4c88190d370a00471ca0b1c9670bc520277eed63dba

  • SSDEEP

    12288:Ju0FY1hEam6Q8aX47pfrX74xMq4BzpbHk:k0+iQr74xMJC

Score
10/10
remcos2556phishingrat

Malware Config

Extracted

Family

remcos

Botnet

2556

C2

bossnacarpet.com:2556

vegetachcnc.com:2556
Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    chrome-6W1HCC

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      559122ff10dc062b44d239d7867a47266f0b8b1088df6551dcfa0f75eb1014bb.xls

    • Size

      448KB

    • MD5

      93728a4082d57c877a1d0ece7c233e42

    • SHA1

      d549cf4aa78a533c6f1426a69ee20b6e2f835f10

    • SHA256

      559122ff10dc062b44d239d7867a47266f0b8b1088df6551dcfa0f75eb1014bb

    • SHA512

      bf9831c184f080f5cd412e695752ee121b0103e8c3fb72a44d0a6629bc9dcb1a251b42d1ad0f206bb6648d1e9467244e503c93680ba4d039c17fac6383e0bc33

    • SSDEEP

      12288:Q6NCLDmASpozwjTqCfgAD9Bbkx3Vn5ktHMOoQO:Q6NCHVWWCfguBb+V5iHHo

    Score
    10/10
    remcos2556phishingrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1
T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

3
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks