remcos | 103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a | Triage

Sharing

General

Target

IKEA VN - 1028-02-4003 + XE614 - 01.exe
Size

1.6MB
Sample

211028-hwh4bahecm
MD5

4f5872d9eed281bf8cc831ef9a64471a
SHA1

80923623eff6042cac91775a72bf9409039e0cbd
SHA256

103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a
SHA512

a7f0853e4eeae9234ae09deac9b740920a7edaee0efd39256e7cf2e83f8dab27afa876eb0abc2e13c030f23e070a90b0aa90435fdc8ca3d42a9b2583dcf8d966

Score

10^/10

remcos reed agilenet persistence rat suricata

Malware Config

Extracted

Family

remcos

Version

3.2.0 Pro

Botnet

Reed

C2

ezfax2021.home-webserver.de:24133

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
iuis.exe
copy_folder
oiujhy
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
uhyg.dat
keylog_flag
false
keylog_folder
juhg
keylog_path
%AppData%
mouse_option
false
mutex
iuyhg-XOY14N
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
oiu
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  IKEA VN - 1028-02-4003 + XE614 - 01.exe
- Size
  
  1.6MB
- MD5
  
  4f5872d9eed281bf8cc831ef9a64471a
- SHA1
  
  80923623eff6042cac91775a72bf9409039e0cbd
- SHA256
  
  103976b6450174aa02b8cbe58309c741303ffd29a0611008e4f72f9023ca228a
- SHA512
  
  a7f0853e4eeae9234ae09deac9b740920a7edaee0efd39256e7cf2e83f8dab27afa876eb0abc2e13c030f23e070a90b0aa90435fdc8ca3d42a9b2583dcf8d966
Score

10^/10

remcos reed agilenet persistence rat suricata
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
  suricata: ET MALWARE Remocs 3.x Unencrypted Checkin
  suricata
- suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
  suricata: ET MALWARE Remocs 3.x Unencrypted Server Response
  suricata
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosreedagilenetpersistenceratsuricata

behavioral2

remcosreedagilenetpersistenceratsuricata