Derin Statik Analiz — Remcos | Tehdit: high
Dosya Kimliği
| SHA256 | 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1 |
|---|---|
| MD5 | 496caac1fa6369e93cb48970f72e26da |
| SHA1 | bd2a22a6bab8f5d5c146f6162ad28244ab22985b |
| Dosya Adı | 07_remcos_agent_7.1.0.bin |
| Boyut | 514188 byte |
| Tür | /opt/ksentinel/samples/40079f05ba7cdcca_07_remcos_agent_7.1.0.bin: PE32 executable (GUI) Intel 80386 |
| Derleme Tarihi | Bilinmiyor |
| Packer | UPX |
C2 Sunucuları / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
BreakingSecurity.net | Domain | active |
pro.ip-api.com | Domain | active |
Tespit Edilen IOC'lar
| Değer | Tip |
|---|---|
BreakingSecurity.net | Domain |
pro.ip-api.com | Domain |
https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field | URL |
\AppData\Local\Google\Chrome\User Data\Default\Cookies | Mutex |
\AppData\Local\Google\Chrome\User Data\Default\Login Data | Mutex |
Yetenekler
- Process Injection
- Process Hollowing
- Browser Credential Theft
- HTTP C2
- Anti-Debug
Şifreleme: -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Geliştirici İpuçları
Telegram: @0D0H0L0P0T0X0 @0H0P0X0 @1H1P1X1 @2H2P2X2 @2L2V2b2l2x2
PE Analizi
PE Güvenlik Taraması
file entropy: 6.600577 (normal) fpu anti-disassembly: no imagebase: normal entrypoint: normal DOS stub: normal TLS directory: found - no functions timestamp: normal
Import Tablosu (özet)
Imported functions
Library
Name: KERNEL32.dll
Functions
Function
Hint: 323
Name: FindNextFileA
Function
Hint: 284
Name: ExpandEnvironmentStringsA
Aile Tespiti — String Kanıtı
Remcos Remcos Agent initialized ( Remcos restarted by watchdog! Remcos v
Remcos — Malware Profile
RemcosRAT. SCAN DOC LOI.r00 multipart RAR. French LOI law lure. Five c2 substrings. Breaking-Security developer.
Malware Type
RAT
Programming Language
C++
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
RemcosRAT
Capabilities & Behavior
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC List (12 indicators)
IOC — Remcos
#
bd2a22a6bab8f5d5c146f6162ad28244ab22985b
# SHA256
40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
# MD5
496caac1fa6369e93cb48970f72e26da
# DOMAIN
BreakingSecurity.net
# DOMAIN
pro.ip-api.com
# MUTEX
\AppData\Local\Google\Chrome\User Data\Default\Cookies
# MUTEX
\AppData\Local\Google\Chrome\User Data\Default\Login Data
# FILEPATH
C:\Program File
# FILEPATH
C:\Window
# FILEPATH
T:\:d:l:t:
# FILEPATH
X:\:`:d:h:l:p:t:x:
# URL
https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field
| Type | Value | Note |
|---|---|---|
| bd2a22a6bab8f5d5c146f6162ad28244ab22985b | ||
| sha256 | 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1 | |
| md5 | 496caac1fa6369e93cb48970f72e26da | |
| domain | BreakingSecurity.net | |
| domain | pro.ip-api.com | |
| mutex | \AppData\Local\Google\Chrome\User Data\Default\Cookies | |
| mutex | \AppData\Local\Google\Chrome\User Data\Default\Login Data | |
| filepath | C:\Program File | |
| filepath | C:\Window | |
| filepath | T:\:d:l:t: | |
| filepath | X:\:`:d:h:l:p:t:x: | |
| url | https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field |
C2 Servers (3 recorded servers for this family)
| Address | Type | Port | Protocol | Status | Country |
|---|---|---|---|---|---|
| BreakingSecurity.net | domain | — | HTTP | active | — |
| pro.ip-api.com | domain | — | HTTP | active | — |
| UNKNOWN_HOST | unknown | 20343 | TCP | inactive | — |
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.