Derin Statik Analiz — Remcos | Tehdit: high

Fichier Kimliği

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
MD5496caac1fa6369e93cb48970f72e26da
SHA1bd2a22a6bab8f5d5c146f6162ad28244ab22985b
Nom du fichier07_remcos_agent_7.1.0.bin
Taille514188 byte
Type/opt/ksentinel/samples/40079f05ba7cdcca_07_remcos_agent_7.1.0.bin: PE32 executable (GUI) Intel 80386
Date de compilationInconnu
PackerUPX

C2 Sunucuları / Dropper Domainleri

AdresTipDurum
BreakingSecurity.netDomainactive
pro.ip-api.comDomainactive

Tespit Edilen IOC'lar

ValeurTip
BreakingSecurity.netDomain
pro.ip-api.comDomain
https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&fieldURL
\AppData\Local\Google\Chrome\User Data\Default\CookiesMutex
\AppData\Local\Google\Chrome\User Data\Default\Login DataMutex

Yetenekler

  • Process Injection
  • Process Hollowing
  • Browser Credential Theft
  • HTTP C2
  • Anti-Debug

Şifreleme: -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

Geliştirici İpuçları

Telegram: @0D0H0L0P0T0X0 @0H0P0X0 @1H1P1X1 @2H2P2X2 @2L2V2b2l2x2

PE Analizi

PE Confiancelik Taraması

file entropy:                    6.600577 (normal)
fpu anti-disassembly:            no
imagebase:                       normal
entrypoint:                      normal
DOS stub:                        normal
TLS directory:                   found - no functions
timestamp:                       normal

Import Tablosu (özet)

Imported functions
    Library
        Name:                            KERNEL32.dll
        Functions
            Function
                Hint:                            323
                Name:                            FindNextFileA
            Function
                Hint:                            284
                Name:                            ExpandEnvironmentStringsA
           

Famille Tespiti — String Kanıtı

Remcos
Remcos Agent initialized (
Remcos restarted by watchdog!
	Remcos v

Remcos — Profil du malware

RemcosRAT. SCAN DOC LOI.r00 multipart RAR. French LOI law lure. Five c2 substrings. Breaking-Security developer.

Type de malware
RAT
Langage de programmation
C++
Protocole C2
TCP/SSL
Systèmes ciblés
Windows
Aussi connu sous (AKA)
RemcosRAT

Capacités et comportement

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

Liste IOC (12 indicateurs)

IOC — Remcos
# bd2a22a6bab8f5d5c146f6162ad28244ab22985b # SHA256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1 # MD5 496caac1fa6369e93cb48970f72e26da # DOMAIN BreakingSecurity.net # DOMAIN pro.ip-api.com # MUTEX \AppData\Local\Google\Chrome\User Data\Default\Cookies # MUTEX \AppData\Local\Google\Chrome\User Data\Default\Login Data # FILEPATH C:\Program File # FILEPATH C:\Window # FILEPATH T:\:d:l:t: # FILEPATH X:\:`:d:h:l:p:t:x: # URL https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field
TypeValeurNote
bd2a22a6bab8f5d5c146f6162ad28244ab22985b
sha256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
md5 496caac1fa6369e93cb48970f72e26da
domain BreakingSecurity.net
domain pro.ip-api.com
mutex \AppData\Local\Google\Chrome\User Data\Default\Cookies
mutex \AppData\Local\Google\Chrome\User Data\Default\Login Data
filepath C:\Program File
filepath C:\Window
filepath T:\:d:l:t:
filepath X:\:`:d:h:l:p:t:x:
url https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field

Serveurs C2 (3 serveurs enregistrés pour cette famille)

Adresse Type Port Protocole Statut Pays
BreakingSecurity.net domain — HTTP active —
pro.ip-api.com domain — HTTP active —
UNKNOWN_HOST unknown 20343 TCP inactive —

Les adresses C2 proviennent uniquement d'échantillons de malwares vérifiés manuellement par l'équipe KEYDAL. Toute utilisation commerciale est interdite.

Tags
remcosstatik-analizhighc2iocpe-analiz