remcos | 3f62a232dcf82e5678614dafedd81b8663ccc2e7fb556ba2bcf04dddb1115369 | Triage

Submit
Reports

Overview

overview

Static

static

Shipment D...pg.exe

windows7_x64

Shipment D...pg.exe

windows10-2004_x64

Sharing

General

Target

Shipment Document BL,INV and packing list.jpg.ace
Size

723KB
Sample

220513-halx3sfhck
MD5

f4cdbe7c700b93b204b5aa0f1c38ec5d
SHA1

9c84371a73f61f05ef322a18a380877a73c847bf
SHA256

3f62a232dcf82e5678614dafedd81b8663ccc2e7fb556ba2bcf04dddb1115369
SHA512

ff6c22dffd1d63bf2f9badaa02820af1cefa2eccb5602d84b71a2e32b280059d6fdf05d2ac1b22d38209867d869519f007bcc833e10b4a8352932b2055be500c

Score

10^/10

remcos host microsoft persistence phishing rat

Static task

static1

Behavioral task

behavioral1

Sample

Shipment Document BL,INV and packing list.jpg.exe

Resource

win7-20220414-en

remcos host persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Shipment Document BL,INV and packing list.jpg.exe

Resource

win10v2004-20220414-en

remcos host microsoft persistence phishing rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

194.5.97.32:5890

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_oqkhxjzletgovfx
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Targets

- Target
  
  Shipment Document BL,INV and packing list.jpg.exe
- Size
  
  1.6MB
- MD5
  
  672cc6ba8db2c80b6e0b8bfbd94f5eb0
- SHA1
  
  7d0dcda440b2ad736514c27f3b445ae8e4ae6c38
- SHA256
  
  59c5657e3e6221b1066f4e39fc36625fd84566cad13702e1e159453e27b93f41
- SHA512
  
  cfff8f8e5f6f5549729ec3fa2082a9c26ba322b289b132a5cb17f1c3b9cd4f5c4d326c167d285c2364eb442fda72e3114245a8acfc89699ca92f9d03fe1237d2
Score

10^/10

remcos host persistence rat microsoft phishing
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcoshostpersistencerat

behavioral2

remcoshostmicrosoftpersistencephishingrat

© 2018-2024

Terms | Privacy