Derin Statik Analiz — Remcos | Tehdit: high
文件 Kimliği
| SHA256 | 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1 |
|---|---|
| MD5 | 496caac1fa6369e93cb48970f72e26da |
| SHA1 | bd2a22a6bab8f5d5c146f6162ad28244ab22985b |
| 文件名 | 07_remcos_agent_7.1.0.bin |
| 大小 | 514188 byte |
| 类型 | /opt/ksentinel/samples/40079f05ba7cdcca_07_remcos_agent_7.1.0.bin: PE32 executable (GUI) Intel 80386 |
| 编译日期 | 未知 |
| Packer | UPX |
C2 Sunucuları / Dropper Domainleri
| Adres | Tip | Durum |
|---|---|---|
BreakingSecurity.net | Domain | active |
pro.ip-api.com | Domain | active |
Tespit Edilen IOC'lar
| 值 | Tip |
|---|---|
BreakingSecurity.net | Domain |
pro.ip-api.com | Domain |
https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field | URL |
\AppData\Local\Google\Chrome\User Data\Default\Cookies | Mutex |
\AppData\Local\Google\Chrome\User Data\Default\Login Data | Mutex |
Yetenekler
- Process Injection
- Process Hollowing
- Browser Credential Theft
- HTTP C2
- Anti-Debug
Şifreleme: -----BEGIN RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
Geliştirici İpuçları
Telegram: @0D0H0L0P0T0X0 @0H0P0X0 @1H1P1X1 @2H2P2X2 @2L2V2b2l2x2
PE Analizi
PE 置信度lik Taraması
file entropy: 6.600577 (normal) fpu anti-disassembly: no imagebase: normal entrypoint: normal DOS stub: normal TLS directory: found - no functions timestamp: normal
Import Tablosu (özet)
Imported functions
Library
Name: KERNEL32.dll
Functions
Function
Hint: 323
Name: FindNextFileA
Function
Hint: 284
Name: ExpandEnvironmentStringsA
家族 Tespiti — String Kanıtı
Remcos Remcos Agent initialized ( Remcos restarted by watchdog! Remcos v
Remcos — 恶意软件档案
RemcosRAT. SCAN DOC LOI.r00 multipart RAR. French LOI law lure. Five c2 substrings. Breaking-Security developer.
恶意软件类型
RAT
编程语言
C++
C2协议
TCP/SSL
目标系统
Windows
别名 (AKA)
RemcosRAT
能力与行为
Uzaktan Erişim & Kontrol
Keylogger
Ekran Görüntüsü
Webcam Erişimi
Dosya Yönetimi
Süreç Yönetimi
Komut Yürütme
Kalıcılık Mekanizması
IOC列表 (12 个指标)
IOC — Remcos
#
bd2a22a6bab8f5d5c146f6162ad28244ab22985b
# SHA256
40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1
# MD5
496caac1fa6369e93cb48970f72e26da
# DOMAIN
BreakingSecurity.net
# DOMAIN
pro.ip-api.com
# MUTEX
\AppData\Local\Google\Chrome\User Data\Default\Cookies
# MUTEX
\AppData\Local\Google\Chrome\User Data\Default\Login Data
# FILEPATH
C:\Program File
# FILEPATH
C:\Window
# FILEPATH
T:\:d:l:t:
# FILEPATH
X:\:`:d:h:l:p:t:x:
# URL
https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field
| 类型 | 值 | 备注 |
|---|---|---|
| bd2a22a6bab8f5d5c146f6162ad28244ab22985b | ||
| sha256 | 40079f05ba7cdccac1f62f8e7e1b644bc0a806b58465f5c005725bc54ee73ef1 | |
| md5 | 496caac1fa6369e93cb48970f72e26da | |
| domain | BreakingSecurity.net | |
| domain | pro.ip-api.com | |
| mutex | \AppData\Local\Google\Chrome\User Data\Default\Cookies | |
| mutex | \AppData\Local\Google\Chrome\User Data\Default\Login Data | |
| filepath | C:\Program File | |
| filepath | C:\Window | |
| filepath | T:\:d:l:t: | |
| filepath | X:\:`:d:h:l:p:t:x: | |
| url | https://pro.ip-api.com/line/?key=QPVvv1rHQJD2pd2&field |
C2服务器 (该家族共有 3 台已记录服务器)
| 地址 | 类型 | 端口 | 协议 | 状态 | 国家 |
|---|---|---|---|---|---|
| BreakingSecurity.net | domain | — | HTTP | active | — |
| pro.ip-api.com | domain | — | HTTP | active | — |
| UNKNOWN_HOST | unknown | 20343 | TCP | inactive | — |
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。