remcos | cb04e8c4131fdb0b74051052efef4ee111e2b84741cd9d1ce0dec24c4a0079a0 | Triage

Sharing

General

Target

cb04e8c4131fdb0b74051052efef4ee111e2b84741cd9d1ce0dec24c4a0079a0
Size

182KB
Sample

220521-bn1j3afbhm
MD5

49b43e6f6a8987eb7a519a0396ee5785
SHA1

9892e1cc1cd05b10c086217d27130502becd4840
SHA256

cb04e8c4131fdb0b74051052efef4ee111e2b84741cd9d1ce0dec24c4a0079a0
SHA512

3805d1c62e9e2a87eaeab16f5f5171e292639617af40bf8b289a87ca8af2af1211ea6aabde1446add050021b3017331f6ba251ca03f6c0e6edf102c1b9c48c07

Score

10^/10

remcos marshal host coreentity rat rezer0

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

MARSHAL HOST

C2

194.5.99.143:6666

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NTSQI6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  Quotation Sheet and PO-including FOB, MOQ.exe
- Size
  
  240KB
- MD5
  
  575d7ca2e5fc3ff6e2d568ab8c67c5d8
- SHA1
  
  9c399b34f7391602b3b70cb7b4b60a1af8d0b65e
- SHA256
  
  fd4d0c198aa010dee3d726fe7d7a526725b51404c1684b7df9d520455e5d16ec
- SHA512
  
  deaeb797c0667351290b5d84716dee1faeead5228c440b270b1fd18bc805b07e0292206d386807d88337ae388b209d83addf8b3d21542b5ae7c1341233881a92
Score

10^/10

remcos marshal host coreentity rat rezer0
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosmarshal hostcoreentityratrezer0

behavioral2

remcosmarshal hostrat