Derin Statik Analiz — Remcos | Tehdit: high

Dosya Kimligi

SHA2562b33ce2a4ea422205cf04741821d563c4596719f1721199876acbdecbfafd23a
MD55956a0271c475029a25f2769ef993a04
SHA176d153d7a5c6f748123101450343813e1ecb82f7
Boyut283137 byte
Tur/opt/ksentinel/samples/40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54
DerlemeBilinmiyor
PackerUPX
C2 Adresi: Sifrelenmis/obfuskeli config (statik analizle cozulemedi)

Yetenekler

  • Tespit edilemedi (obfuskeli)

Gelistirici Ipuclari

PDB Yolu: bash: -c: line 1: syntax error near unexpected token `|' bash: -c: line 1: `grep -oiE '[A-Za-z]:\\Users\\[^\\]{2,30}\\[^

Telegram: @6Mxa @fcQv @xexA

PE Analizi

Binwalk / Packer

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, encrypted compressed size: 28

Aile Tespiti

String kaniti bulunamadi (sifrelenmis/obfuskeli).

Remcos — Malware Profile

RemcosRAT. SCAN DOC LOI.r00 multipart RAR. French LOI law lure. Five c2 substrings. Breaking-Security developer.

Malware Type
RAT
Programming Language
C++
C2 Protocol
TCP/SSL
Target Systems
Windows
Also Known As (AKA)
RemcosRAT

Capabilities & Behavior

Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması

IOC List (5 indicators)

IOC — Remcos
# 76d153d7a5c6f748123101450343813e1ecb82f7 # SHA256 2b33ce2a4ea422205cf04741821d563c4596719f1721199876acbdecbfafd23a # MD5 5956a0271c475029a25f2769ef993a04 # FILEPATH bash: -c: line 1: syntax error near unexpected token `|' # FILEPATH bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'
TypeValueNote
76d153d7a5c6f748123101450343813e1ecb82f7
sha256 2b33ce2a4ea422205cf04741821d563c4596719f1721199876acbdecbfafd23a
md5 5956a0271c475029a25f2769ef993a04
filepath bash: -c: line 1: syntax error near unexpected token `|'
filepath bash: -c: line 1: `grep -oiE '[A-Za-z]:\\[^\s\"'\'<>|*?]{5,150}' /tmp/all.txt | grep -viE '(msbuild|nuget|packages|Microsoft\.NET)' | sort -u | head -10'

C2 Servers (3 recorded servers for this family)

Address Type Port Protocol Status Country
BreakingSecurity.net domain &mdash; HTTP active &mdash;
pro.ip-api.com domain &mdash; HTTP active &mdash;
UNKNOWN_HOST unknown 20343 TCP inactive &mdash;

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
remcosstatik-analizhighc2iocpe