b371d002c5cdc04dc83f47d413a17103d6325b13c945ff090952aa743b6e9205

Target

Size

160KB

Sample

220521-xh3m5abgf9

Score

10 ^/10

MD5

42e0fe24cb392a0dc23c0232959bad30

SHA1

815e71accb773c61654a6939532f46fe0c65fc80

SHA256

b371d002c5cdc04dc83f47d413a17103d6325b13c945ff090952aa743b6e9205

SHA512

0007083d70a1a25bd02a37ff225a2e50aacdff4599fe983b3dc52abc641a3786d405852fa51a6b75c736e0c819a56272aa51e8ac2c8c56344c29ea8093a77b37

Extracted

Family	remcos
Version	2.5.1 Pro
Botnet	xxxxxxxxxxxx
C2	109.169.89.116:2021 109.169.89.116:2021
Attributes	audio_folder MicRecords audio_path %AppData% audio_record_time 5 connect_delay 0 connect_interval 1 copy_file remcos.exe copy_folder remcos delete_file false hide_file false hide_keylog_file false install_flag false install_path %AppData% keylog_crypt false keylog_file s.sex keylog_flag false keylog_folder ssssss keylog_path %UserProfile% mouse_option false mutex fuckhere-M9W1LK screenshot_crypt false screenshot_flag false screenshot_folder Screenshots screenshot_path %AppData% screenshot_time 10 startup_value remcos take_screenshot_option false take_screenshot_time 5 take_screenshot_title wikipedia;solitaire;

Target

PO93-DOC89345833_pdf.exe

MD5

d44fd12c4a59244c15415cc69d9107b2

Filesize

241KB

Score

10^/10

SHA1

6a656dd83746eab439e5945c262f96b3cdce15ec

SHA256

1f116c8f89973d9a9641d0dfd79af6c83c36ea2bf80a7cde67c18613402a1936

SHA512

a8fffbf3fab2e479a20f544dc35f9c560793d6936a1a975a3aba68153c3d958b3963d5c87053b763de28a41d3cf04cbdb78e085001fa148234cc87f7d092253e

Signatures

Remcos
Description

Remcos is a closed-source remote control and surveillance software.
Tags

rat remcos
Looks for VirtualBox Guest Additions in registry
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Looks for VMWare Tools registry key
Tags

evasion

TTPs

Query RegistryVirtualization/Sandbox Evasion
Checks BIOS information in registry
Description

BIOS information is often read in order to detect sandboxing environments.
TTPs

Query RegistrySystem Information Discovery
Checks computer location settings
Description

Looks up country code configured in the registry, likely geofence.
TTPs

Query RegistrySystem Information Discovery
Maps connected drives based on registry
Description

Disk information is often read in order to detect sandboxing environments.
TTPs

Query RegistryPeripheral Device DiscoverySystem Information Discovery
Suspicious use of SetThreadContext

Related Tasks

behavioral1 behavioral2

Collection

Command and Control

Credential Access

Defense Evasion

Virtualization/Sandbox Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

static1

behavioral1

remcos xxxxxxxxxxxx evasion rat

10^/10

behavioral2

remcos xxxxxxxxxxxx evasion rat

10^/10

Extracted

Tags

Signatures

Remcos

Description

Tags

Looks for VirtualBox Guest Additions in registry

Tags

TTPs

Looks for VMWare Tools registry key

Tags

TTPs

Checks BIOS information in registry

Description

TTPs

Checks computer location settings

Description

TTPs

Maps connected drives based on registry

Description

TTPs

Suspicious use of SetThreadContext

Related Tasks

static1

behavioral1

behavioral2