remcos | 4f821cf509cfc60d0e9d0f4740f1115a985b9771727199b12b1c5f115e79fbbf | Triage

Submit
Reports

Overview

overview

Static

static

9

P.O 2019 A...on.exe

windows7_x64

P.O 2019 A...on.exe

windows10-2004_x64

Sharing

General

Target

4f821cf509cfc60d0e9d0f4740f1115a985b9771727199b12b1c5f115e79fbbf
Size

322KB
Sample

220521-pbzc5aabgq
MD5

eed290b21e09550c32e5c6e067513085
SHA1

ad4bb6a94f8bfad54b776b72a4b91bda35c964d4
SHA256

4f821cf509cfc60d0e9d0f4740f1115a985b9771727199b12b1c5f115e79fbbf
SHA512

6445acceb9e2aab7c0f60671b7169ea41665c203202070af7dabc0f29d94155abf354b20809540b5ac38bf756ad236391c51e5c4aed77b1b7c15a23e64f52c13

Score

10^/10

remcos remotehost coreentity rat rezer0

Static task

static1

Behavioral task

behavioral1

Sample

P.O 2019 Autopromotec Exhibition.exe

Resource

win7-20220414-en

remcos remotehost coreentity rat rezer0

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

P.O 2019 Autopromotec Exhibition.exe

Resource

win10v2004-20220414-en

remcos remotehost rat

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

RemoteHost

C2

servr.killifabuse1.xyz:8643

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-52ZHKH
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  P.O 2019 Autopromotec Exhibition.exe
- Size
  
  359KB
- MD5
  
  d7763969d2edcc2339e3f94c08a1894f
- SHA1
  
  eff704bd0c21bde634bcf85c5d9ccdb76187d7a4
- SHA256
  
  97c985b33dbd9ee5c3541f3299abe1c0131ba2f5234ce01ee0dc1dbb1039aa0d
- SHA512
  
  ea36f01f76d32dac87987f7b75f4680b3caba29ff8d5f19e99f439c85ba12e6b0ab40c63478910739ffc9706029171180c1fd551a4648937855be74c94c87727
Score

10^/10

remcos remotehost coreentity rat rezer0
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- CoreCCC Packer
  Detects CoreCCC packer used to load .NET malware.
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostcoreentityratrezer0

behavioral2

remcosremotehostrat

© 2018-2024

Terms | Privacy