remcos | 2c9cd435aac24791345ba8e83376fba1f94954b92e9432242c808558673ec7ce | Triage

Sharing

General

Target

SLIP.exe
Size

1.6MB
Sample

210118-a24bzkxyla
MD5

7304a6051681ce10b5f0d7f207630435
SHA1

12a1633f08f9fd57037ba281a25f3dfa33fbb45b
SHA256

2c9cd435aac24791345ba8e83376fba1f94954b92e9432242c808558673ec7ce
SHA512

8e6caaa8d002bfcbfed7bf09d350d1f654cf393838d4ae60dee4ba700ac90f2d57e89025592a137b3069332b685f7dce4bab9e2aff022ba21453f1ca331fb507

Score

10^/10

remcos persistence rat

Malware Config

Extracted

Family

remcos

C2

chhjvhvkjbhliiuyuj.duckdns.org:20909

Targets

- Target
  
  SLIP.exe
- Size
  
  1.6MB
- MD5
  
  7304a6051681ce10b5f0d7f207630435
- SHA1
  
  12a1633f08f9fd57037ba281a25f3dfa33fbb45b
- SHA256
  
  2c9cd435aac24791345ba8e83376fba1f94954b92e9432242c808558673ec7ce
- SHA512
  
  8e6caaa8d002bfcbfed7bf09d350d1f654cf393838d4ae60dee4ba700ac90f2d57e89025592a137b3069332b685f7dce4bab9e2aff022ba21453f1ca331fb507
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat