remcos | 6201c84444a1047e33e7ce68bf998d9470b950f76ec919322c1f24c865ba547d | Triage

Submit
Reports

Overview

overview

Static

static

9

New Order ...97.exe

windows7_x64

New Order ...97.exe

windows10-2004_x64

Sharing

General

Target

6201c84444a1047e33e7ce68bf998d9470b950f76ec919322c1f24c865ba547d
Size

300KB
Sample

220521-pbjyfaabfk
MD5

2f5d8fca0e6dedc5a066339a8ffeb0f7
SHA1

4ab3b37a21fdd39df479325069d9c976dc0dcc5d
SHA256

6201c84444a1047e33e7ce68bf998d9470b950f76ec919322c1f24c865ba547d
SHA512

1a56303e6902aeb33e2511f8dd6c5f8a4bdd36a41fead2f162ccfb9d052b27af0be97e6146ddb572da6793bfebdcb551df8b68222cc0333bc351ab01a7847102

Score

10^/10

remcos remotehost coreentity rat rezer0

Static task

static1

Behavioral task

behavioral1

Sample

New Order # 8558497.exe

Resource

win7-20220414-en

remcos remotehost coreentity rat rezer0

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

New Order # 8558497.exe

Resource

win10v2004-20220414-en

remcos remotehost rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

RemoteHost

C2

dolxxrem.hopto.org:3086

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-B3XNCF
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  New Order # 8558497.exe
- Size
  
  395KB
- MD5
  
  1bb8ba2c732f0401a2b2fb80c546ae29
- SHA1
  
  4db89e355f30bede562ee9959ce662a06ac7475e
- SHA256
  
  a006ce3d5e86dac171acaeac9ffeab9172a5ff4daceca820df5d05f87f0cf6ff
- SHA512
  
  3664c862ca54341ef530eabcb26ee84739a9fdbd3de252421fb9c67b6b0d9d5acc562c968d49d4ee66df3e2b4412368b641eb6ff671280beae06741bb1960eed
Score

10^/10

remcos remotehost coreentity rat rezer0
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- CoreCCC Packer
  Detects CoreCCC packer used to load .NET malware.
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosremotehostcoreentityratrezer0

behavioral2

remcosremotehostrat

© 2018-2024

Terms | Privacy