remcos | 56c743180f8459c00a5941dc3fca9c254cce1ea8830c84a617c3e33fbcd30650 | Triage

Submit
Reports

Overview

overview

Static

static

8

ACH remittance.xls

windows7-x64

ACH remittance.xls

windows10-2004-x64

Sharing

General

Target

ACH remittance.xls
Size

32KB
Sample

220806-hx9mnaeda6
MD5

053dbb0cbcfcb2f96552414b4637a0ac
SHA1

5f8ba5947e41eaf20cbb4cb7e8ac69e140d56b3a
SHA256

56c743180f8459c00a5941dc3fca9c254cce1ea8830c84a617c3e33fbcd30650
SHA512

205c5e76b036bc3143a2a6e27a0d436f5ea2418881685a6cf19ef01cc41bc56156e6961fd7e5b2ed45b67e36f7edb96005714e6da947fffbdd6a22ab474f8e73

Score

10^/10

remcos remotehost macro macro_on_action rat

Static task

static1

macro macro_on_action

2 signatures

Behavioral task

behavioral1

Sample

ACH remittance.xls

Resource

win7-20220715-en

remcos remotehost rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

ACH remittance.xls

Resource

win10v2004-20220721-en

remcos remotehost rat

windows10-2004-x64

17 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

businessculture.dvrlists.com:117

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-GN4RN2
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ACH remittance.xls
- Size
  
  32KB
- MD5
  
  053dbb0cbcfcb2f96552414b4637a0ac
- SHA1
  
  5f8ba5947e41eaf20cbb4cb7e8ac69e140d56b3a
- SHA256
  
  56c743180f8459c00a5941dc3fca9c254cce1ea8830c84a617c3e33fbcd30650
- SHA512
  
  205c5e76b036bc3143a2a6e27a0d436f5ea2418881685a6cf19ef01cc41bc56156e6961fd7e5b2ed45b67e36f7edb96005714e6da947fffbdd6a22ab474f8e73
Score

10^/10

remcos remotehost rat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

macromacro_on_action

behavioral1

remcosremotehostrat

behavioral2

remcosremotehostrat

© 2018-2024

Terms | Privacy