Derin Statik Analiz — Remcos | Tehdit: high

Dosya Kimliği

SHA25640079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
MD5496caac1fa6369e93cb48970f72e26da
SHA1bd2a22a6bab8f5d5c146f6162ad28244ab22985b
Dosya Adı07_remcos_agent_7.1.0.bin
Boyut514188 byte
Tür/opt/ksentinel/samples/40079f05ba7cdcca_07_remcos_agent_7.1.0.bin: PE32 executable (GUI) Intel 80386
Derleme TarihiBilinmiyor
PackerUPX

C2 Sunucuları / Dropper Domainleri

AdresTipDurum
BreakingSecurity.netDomainactive
pro.ip-api.comDomainactive

Tespit Edilen IOC'lar

DeğerTip
BreakingSecurity.netDomain
pro.ip-api.comDomain
https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&fieldURL
\AppData\Local\Google\Chrome\User Data\Default\CookiesMutex
\AppData\Local\Google\Chrome\User Data\Default\Login DataMutex

Yetenekler

  • Process Injection
  • Process Hollowing
  • Browser Credential Theft
  • HTTP C2
  • Anti-Debug

Şifreleme: -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

Geliştirici İpuçları

Telegram: @0D0H0L0P0T0X0 @0H0P0X0 @1H1P1X1 @2H2P2X2 @2L2V2b2l2x2

PE Analizi

PE Güvenlik Taraması

file entropy:                    6.600577 (normal)
fpu anti-disassembly:            no
imagebase:                       normal
entrypoint:                      normal
DOS stub:                        normal
TLS directory:                   found - no functions
timestamp:                       normal

Import Tablosu (özet)

Imported functions
    Library
        Name:                            KERNEL32.dll
        Functions
            Function
                Hint:                            323
                Name:                            FindNextFileA
            Function
                Hint:                            284
                Name:                            ExpandEnvironmentStringsA
           

Aile Tespiti — String Kanıtı

Remcos
Remcos Agent initialized (
Remcos restarted by watchdog!
	Remcos v

Remcos — Malware Profile

RemcosRAT. SCAN DOC LOI.r00 multipart RAR. French LOI law lure. Five c2 substrings. Breaking-Security developer.

Malware Type
RAT
Programming Language
C++
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
RemcosRAT

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (12 indicators)

IOC — Remcos
# bd2a22a6bab8f5d5c146f6162ad28244ab22985b # SHA256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1 # MD5 496caac1fa6369e93cb48970f72e26da # DOMAIN BreakingSecurity.net # DOMAIN pro.ip-api.com # MUTEX \AppData\Local\Google\Chrome\User Data\Default\Cookies # MUTEX \AppData\Local\Google\Chrome\User Data\Default\Login Data # FILEPATH C:\Program File # FILEPATH C:\Window # FILEPATH T:\:d:l:t: # FILEPATH X:\:`:d:h:l:p:t:x: # URL https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field
TypeValueNote
bd2a22a6bab8f5d5c146f6162ad28244ab22985b
sha256 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
md5 496caac1fa6369e93cb48970f72e26da
domain BreakingSecurity.net
domain pro.ip-api.com
mutex \AppData\Local\Google\Chrome\User Data\Default\Cookies
mutex \AppData\Local\Google\Chrome\User Data\Default\Login Data
filepath C:\Program File
filepath C:\Window
filepath T:\:d:l:t:
filepath X:\:`:d:h:l:p:t:x:
url https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field

C2 Servers (3 recorded servers for this family)

Address Type Port Protocol Status Country
BreakingSecurity.net domain — HTTP active —
pro.ip-api.com domain — HTTP active —
UNKNOWN_HOST unknown 20343 TCP inactive —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
remcosstatik-analizhighc2iocpe-analiz