Derin Statik Analiz — Remcos | Tehdit: high
Dosya Kimligi
| SHA256 | 2b33ce2a4ea422205cf04741821d563c4596719f1721199876acbdecbfafd23a |
|---|---|
| MD5 | 5956a0271c475029a25f2769ef993a04 |
| SHA1 | 76d153d7a5c6f748123101450343813e1ecb82f7 |
| Boyut | 283137 byte |
| Tur | /opt/ksentinel/samples/40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54 |
| Derleme | Bilinmiyor |
| Packer | UPX |
C2 Adresi: Sifrelenmis/obfuskeli config (statik analizle cozulemedi)
Yetenekler
- Tespit edilemedi (obfuskeli)
Gelistirici Ipuclari
PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|'
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^
Telegram: @6Mxa @fcQv @xexA
PE Analizi
Binwalk / Packer
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, encrypted compressed size: 28
Aile Tespiti
String kaniti bulunamadi (sifrelenmis/obfuskeli).
Remcos — Malware Profile
RemcosRAT. SCAN DOC LOI.r00 multipart RAR. French LOI law lure. Five c2 substrings. Breaking-Security developer.
Malware Type
RAT
Programming Language
C++
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
RemcosRAT
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List (5 indicators)
IOC — Remcos
#
76d153d7a5c6f748123101450343813e1ecb82f7
# SHA256
2b33ce2a4ea422205cf04741821d563c4596719f1721199876acbdecbfafd23a
# MD5
5956a0271c475029a25f2769ef993a04
# FILEPATH
bash: -c: line 1: syntax error near unexpected token `|'
# FILEPATH
bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
| Type | Value | Note |
|---|---|---|
| 76d153d7a5c6f748123101450343813e1ecb82f7 | ||
| sha256 | 2b33ce2a4ea422205cf04741821d563c4596719f1721199876acbdecbfafd23a | |
| md5 | 5956a0271c475029a25f2769ef993a04 | |
| filepath | bash: -c: line 1: syntax error near unexpected token `|' | |
| filepath | bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10' |
C2 Servers (3 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| BreakingSecurity.net | domain | — | HTTP | active | — |
| pro.ip-api.com | domain | — | HTTP | active | — |
| UNKNOWN_HOST | unknown | 20343 | TCP | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.