remcos | 04a8ec81d470d779101a2a39ad5b801668cbec7f78176f89766fd966744a9c38 | Triage

Sharing

General

Target

04a8ec81d470d779101a2a39ad5b801668cbec7f78176f89766fd966744a9c38
Size

186KB
Sample

220527-y7qkjabee3
MD5

07d887ce0ba2736fa8fbc5139ad74c3d
SHA1

b818f67d4ac19b0c8fd2c167f4b48e188983a99d
SHA256

04a8ec81d470d779101a2a39ad5b801668cbec7f78176f89766fd966744a9c38
SHA512

791df0198131e32ccf3ba4e18cd8612279e41d1223238222a589ce44614aa81bf8fe6d34fb9a6dc3d7c9126753e283df2d48107ae5cbb1a51a297bbd33a26056

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Version

2.0.5 Pro

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
xi3s.exe
copy_folder
xi3x
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NL03Y0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
xi5w
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Extracted

Family

remcos

Botnet

RemoteHost

C2

79.172.242.28:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
xi3s.exe
copy_folder
xi3x
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-NL03Y0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
xi5w
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Targets

- Target
  
  04a8ec81d470d779101a2a39ad5b801668cbec7f78176f89766fd966744a9c38
- Size
  
  186KB
- MD5
  
  07d887ce0ba2736fa8fbc5139ad74c3d
- SHA1
  
  b818f67d4ac19b0c8fd2c167f4b48e188983a99d
- SHA256
  
  04a8ec81d470d779101a2a39ad5b801668cbec7f78176f89766fd966744a9c38
- SHA512
  
  791df0198131e32ccf3ba4e18cd8612279e41d1223238222a589ce44614aa81bf8fe6d34fb9a6dc3d7c9126753e283df2d48107ae5cbb1a51a297bbd33a26056
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosremotehostpersistencerat

behavioral2

remcosremotehostrat