Overview

overview

10

Static

static

3

d56ddb9b2c...68.exe

windows7-x64

10

d56ddb9b2c...68.exe

windows10-2004-x64

10

Arbitratio...er.oth

windows7-x64

3

Arbitratio...er.oth

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe

  • Size

    748KB

  • Sample

    240705-cat1sszckn

  • MD5

    1a047b9b776d41ec61cc91286c27be07

  • SHA1

    42f4eb3e00d258e61cf98a125d025692ac68c88a

  • SHA256

    d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68

  • SHA512

    58f8c02e634ca82fc95472d29e49931c15edaad03a0a81d672b72e817037a5b3419e25a0f97bef7c7f5c7d681a67e2416f3b7744656bc8ab62ce474d36d96b46

  • SSDEEP

    12288:93VEnc1eUjaXZzl3azhfy4hamcUWQn3MN0KyBHyeFGjEvJ1EodxB4LP:93V3eUjaXZp3az1yUaZUXc6fBS2GjEvC

Score
10/10
remcosthurssdayexecutionrat

Malware Config

Extracted

Family

remcos

Botnet

thurssday

C2

191.101.130.177:6903

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-HCF7F5

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Targets

    • Target

      d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68.exe

    • Size

      748KB

    • MD5

      1a047b9b776d41ec61cc91286c27be07

    • SHA1

      42f4eb3e00d258e61cf98a125d025692ac68c88a

    • SHA256

      d56ddb9b2cb85e97a55f366aa00f53ffa566a6aa42964e56646cfb58663afd68

    • SHA512

      58f8c02e634ca82fc95472d29e49931c15edaad03a0a81d672b72e817037a5b3419e25a0f97bef7c7f5c7d681a67e2416f3b7744656bc8ab62ce474d36d96b46

    • SSDEEP

      12288:93VEnc1eUjaXZzl3azhfy4hamcUWQn3MN0KyBHyeFGjEvJ1EodxB4LP:93V3eUjaXZp3az1yUaZUXc6fBS2GjEvC

    Score
    10/10
    remcosthurssdayexecutionrat

    • Remcos

      Remcos is a closed-source remote control and surveillance software.

      ratremcos

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Arbitrational/Popgunnery/Bibliotekskredses/sknlitteraturer.oth

    • Size

      1KB

    • MD5

      a776bbf47131d62b0e0ad1e7e9606ef6

    • SHA1

      c8af35220a6fbb5c82d152242ea6cd2ecf135e01

    • SHA256

      fcddfc05abba3bbba0aaf7623dc733af59ad9a25f109c1c47d735cec977e4219

    • SHA512

      b14c93322a68da92158554d9d8ca1c8e57edd16142e58a5e2a186a7e012ced6489a4055b31cb8f6edd0703067351260a94fde25f4c84091e406f3ec6f0d3b2ba

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks