remcos | 08f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3 | Triage

Sharing

General

Target

z9ERDG51.exe
Size

92KB
Sample

201125-325ac1dbax
MD5

cc6a463987484ace0a9f98e327c85c2b
SHA1

1867031e6a7d7057d7d96cfd4ad99eba14afde1e
SHA256

08f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3
SHA512

9e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19

Score

10^/10

remcos evasion persistence rat

Malware Config

Extracted

Family

remcos

C2

185.185.3.40:2404

Targets

- Target
  
  z9ERDG51.exe
- Size
  
  92KB
- MD5
  
  cc6a463987484ace0a9f98e327c85c2b
- SHA1
  
  1867031e6a7d7057d7d96cfd4ad99eba14afde1e
- SHA256
  
  08f15e4acb5af5b3095304fbfd9370d33ea57a561da66bc1239477cdc6530dc3
- SHA512
  
  9e8286d422cb012826eeb390073cbeb58b8685b86befd3b620dfce0b5e489db04ce15f91682cd000ac8508ea54e474935eaad3ef6aeaf7d6f4de159609bc9e19
Score

10^/10

remcos evasion persistence rat
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosevasionpersistencerat

behavioral2

remcosevasionpersistencerat