remcos | 38770a1d7fb564d852c3f22d70f6e4cf3f24a0e5240f96ebf3d2c017af671618 | Triage

Submit
Reports

Overview

overview

Static

static

PAYSLP18500USD.xlsx

windows7-x64

PAYSLP18500USD.xlsx

windows10-2004-x64

1

Sharing

General

Target

PAYSLP18500USD.xlsx
Size

680KB
Sample

220808-spk97seed5
MD5

93d65d182bdf8a2e9e5d38d1661f3bb7
SHA1

9e21b2b8f08cdaeb810c64762210687ecd1d84df
SHA256

38770a1d7fb564d852c3f22d70f6e4cf3f24a0e5240f96ebf3d2c017af671618
SHA512

1c2c78d4abbc2cadf8620e2105d1474fd1144789ad0c98eb0da9221a8b83742408222c03d71f9a646db40590a1d60441c6258443c1e005085bd49a1abf2deb48

Score

10^/10

remcos mekino aug persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

PAYSLP18500USD.xlsx

Resource

win7-20220715-en

remcos mekino aug persistence rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

PAYSLP18500USD.xlsx

Resource

win10v2004-20220721-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

Mekino Aug

C2

mekremcos23.freedynamicdns.net:2397

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
os.exe
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
mouse_option
false
mutex
Rmc-ZCU1S6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
ecv
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  PAYSLP18500USD.xlsx
- Size
  
  680KB
- MD5
  
  93d65d182bdf8a2e9e5d38d1661f3bb7
- SHA1
  
  9e21b2b8f08cdaeb810c64762210687ecd1d84df
- SHA256
  
  38770a1d7fb564d852c3f22d70f6e4cf3f24a0e5240f96ebf3d2c017af671618
- SHA512
  
  1c2c78d4abbc2cadf8620e2105d1474fd1144789ad0c98eb0da9221a8b83742408222c03d71f9a646db40590a1d60441c6258443c1e005085bd49a1abf2deb48
Score

10^/10

remcos mekino aug persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosmekino augpersistencerat

behavioral2

© 2018-2024

Terms | Privacy