0dc4b40e172511950b2dbfc92eda71029f090c1f8ddbbe89921f5c49ee92f59d

Target

Size

835KB

Sample

220521-w11e2seacl

Score

10 ^/10

MD5

fd65ad955ceb50ef41e385c88d751dc8

SHA1

b31c56045109fafabe403537e60647361a8ab4ca

SHA256

0dc4b40e172511950b2dbfc92eda71029f090c1f8ddbbe89921f5c49ee92f59d

SHA512

82666b25382206715d13f83c40a05ef9006f94b8db7f27463aac8e24f40cf579c3345b668db1339b7cc796107fe5091129437478e2c660471d9c5a4ee768df3a

Extracted

Family	remcos
Version	2.5.1 Pro
Botnet	AUGUST-BLESS-ME
C2	officer170.webredirect.org:2404 chidera12345.ddns.net:2404 officer170.webredirect.org:2404 chidera12345.ddns.net:2404
Attributes	audio_folder MicRecords audio_path %AppData% audio_record_time 5 connect_delay 0 connect_interval 1 copy_file remcos.exe copy_folder remcos delete_file false hide_file false hide_keylog_file false install_flag false install_path %AppData% keylog_crypt false keylog_file logs.dat keylog_flag false keylog_folder remcos keylog_path %AppData% mouse_option false mutex Remcos-T7VXCL screenshot_crypt false screenshot_flag true screenshot_folder Screenshots screenshot_path %AppData% screenshot_time 1 startup_value remcos take_screenshot_option false take_screenshot_time 5 take_screenshot_title wikipedia;solitaire;

Target

POEA MEMORANDUM NO. 62-2020 ON ACCREDITATION OF AGENCIES.PDF.exe

MD5

6a8addc2fd26cab55567eba884e377d5

Filesize

969KB

Score

10^/10

SHA1

2fba0e16b023e47ff5c866325c5208a2d49f9da2

SHA256

86c92d4b2244153a1f601168307d0c60f413631574d9c0ed3fe4c6fa890d6c26

SHA512

024fc7aafc4ce64f0ddeefc0351fc0684fc9eb0a0d38f1b07152b19397da10edc5d0f99ffadb0632fc89d145ea872751ae10762f667d893fa26ed0dd223adb4a

Signatures

Remcos
Description

Remcos is a closed-source remote control and surveillance software.
Tags

rat remcos
suricata: ET MALWARE Remcos RAT Checkin 23
Description

suricata: ET MALWARE Remcos RAT Checkin 23
Tags

suricata
Executes dropped EXE
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Loads dropped DLL
Adds Run key to start application
Tags

persistence

TTPs

Registry Run Keys / Startup FolderModify Registry
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

static1

behavioral1

remcos august-bless-me persistence rat suricata

10^/10

behavioral2

remcos august-bless-me persistence rat suricata

10^/10

Extracted

Tags

Signatures

Remcos

Description

Tags

suricata: ET MALWARE Remcos RAT Checkin 23

Description

Tags

Executes dropped EXE

Checks computer location settings

Description

TTPs

Loads dropped DLL

Adds Run key to start application

Tags

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2