remcos | 2238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845 | Triage

Submit
Reports

Overview

overview

Static

static

2238e83f.exe

windows7_x64

2238e83f.exe

windows10-2004_x64

Sharing

General

Target

2238e83f.exe
Size

1.4MB
Sample

220520-p1jzqsfahl
MD5

abb0da45041a587897972066124a73fe
SHA1

5a82eb5e9ef349e798fc930f077e15e5e692fe5c
SHA256

2238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845
SHA512

10c81fcbd10a23a26ac80c31098d736ada5f015df5da146c4f32939c13f396085b22c74b24da69dd5b91836a4ab5744dfc5310aa284358b7a689ad73cc6a5e25

Score

10^/10

remcos host microsoft persistence phishing rat

Static task

static1

Behavioral task

behavioral1

Sample

2238e83f.exe

Resource

win7-20220414-en

remcos host persistence rat

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2238e83f.exe

Resource

win10v2004-20220414-en

remcos host microsoft persistence phishing rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

194.5.97.32:5890

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
remcos_oqkhxjzletgovfx
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Targets

- Target
  
  2238e83f.exe
- Size
  
  1.4MB
- MD5
  
  abb0da45041a587897972066124a73fe
- SHA1
  
  5a82eb5e9ef349e798fc930f077e15e5e692fe5c
- SHA256
  
  2238e83f8febb5591c0c5416f5e81d17a4d6a061a05230c4765b9af3faa26845
- SHA512
  
  10c81fcbd10a23a26ac80c31098d736ada5f015df5da146c4f32939c13f396085b22c74b24da69dd5b91836a4ab5744dfc5310aa284358b7a689ad73cc6a5e25
Score

10^/10

remcos host persistence rat microsoft phishing
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcoshostpersistencerat

behavioral2

remcoshostmicrosoftpersistencephishingrat

© 2018-2024

Terms | Privacy