remcos

General

Target

RtJT2FrE.exe
Size

128KB
Sample

220810-yldnvagce4
MD5

648e9dc18a8bd5dda03ca12f4f2768e7
SHA1

efaefb940f47210dd0a3e9483aede0d9d5ce8a52
SHA256

e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
SHA512

6fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6

Score

10^/10

Malware Config

Extracted

Family

remcos

Version

2.5.0 Pro

Botnet

system

C2

213.152.161.40:8733

109.202.103.170:8733

213.152.162.89:8733

213.152.162.109:8733

213.152.161.239:8733

213.152.162.69:8733

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
sys.exe
copy_folder
sys
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
system
keylog_path
%WinDir%\System32
mouse_option
false
mutex
system-UQU82S
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%WinDir%\System32
screenshot_time
1
startup_value
remcos
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
https://online.mbank.pl/pl/Login;https://login.ingbank.pl/mojeing/app/#login;https://www.pekao24.pl/;https://online.santanderconsumer.pl/Authentication/;https://orangefinanse.com.pl/or/Login;https://login.aliorbank.pl/;https://www.ipko.pl/;https://secure.getinbank.pl/#index/index;https://www.bankmillennium.pl/logowanie;https://www.ideabank.pl/logowanie;https://www.bosbank.pl/#;https://www.bankbps.pl/;https://plusbank24.pl/;https://www.citibankonline.pl/apps/auth/signin/;https://e-bank.credit-agricole.pl/;https://moj.raiffeisenpolbank.com/;https://login.bgzbnpparibas.pl/login/Redirect?SAMLRequest=fZDBTsMwDIZfpcp9bdoG2lltpQouk%2BDCEPe09bZKbRJiB008PWET0uDA0fb3%2FZbdkF4XB33gk3nB94DEyXldDMFl0IrgDVhNM4HRKxLwCPv%2B%2BQmKVILzlu1oF3Gj%2FG9oIvQ8WyOS3WMryvupVnlZTbqUoyoHuVWYq8MW1aEqsFQieUNPEW9FtKNDFHBniLXh2JJ5vZHbTSFf8wLyCu5qkfQ%2FGx6sobCi36P%2FmMdoTXhuRQzpmf08BMYrMZvjX6Rrvi%2BByzbfnZgdZJlbtEFOh%2BPnYJzTMUJT6pYmu2Wv1e9%2Fdl8%3D;https://konto.toyotabank.pl/auth/login.jsp;https://online.eurobank.pl/nbi/bezpieczenstwo/logowanie;https://www.deutschebank.pl/;https://www.pocztowy.pl/;https://www.t-mobilebankowe.pl/;

Targets

- Target
  
  RtJT2FrE.exe
- Size
  
  128KB
- MD5
  
  648e9dc18a8bd5dda03ca12f4f2768e7
- SHA1
  
  efaefb940f47210dd0a3e9483aede0d9d5ce8a52
- SHA256
  
  e0b6bc3a80979c9698dc1a45ec43f00b0a35841706e1414fb29996eb57962c44
- SHA512
  
  6fd011e2397eaa6ae0f87f41bdc7df8aa01db2e7d181a9072b9e2cddc49722dc1ccb1a67cc45c59989438c68539e0c6f4154267e4d86dbdcc8088b22a435a3a6
Score

10^/10

remcos system evasion persistence rat trojan
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2