remcos

General

Target

8e34dbf3bceb9c9cf22f32ea7d870be4
Size

149KB
Sample

220824-y4ec4aafbm
MD5

8e34dbf3bceb9c9cf22f32ea7d870be4
SHA1

d9cd6c07ee134e10b179821808f617cdf2dc810b
SHA256

74b1f33dc283a64df996251ad950a1c8bdba5ab77da45c97233972d2a8c17056
SHA512

3ccb54fdd4dff867a760c11b94f147b503ffd015cd5d8ee11a86f6afa0cfb3fe3507420bf5d94ee85f7c6773e0aa58084b83b142aa54cf9baea4824438143b47
SSDEEP

3072:J90Eg7YOC0q0vGBYovRDlDybNTPCtRqFvYs:1gYtvJDlmbRX

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns.com:443/obieznne.msi

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns.com:443/KMS_Tool.msi

Extracted

Family

remcos

Botnet

220825

C2

cothdesigns.com:3456

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
180
copy_file
software_reporter_tool.exe
copy_folder
AppData\Local\Google
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%UserProfile%
keylog_crypt
true
keylog_file
adbkey.dat
keylog_flag
false
keylog_path
%Temp%
mouse_option
false
mutex
9416a517bdcd8521-XQOB43
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Google
screenshot_path
%Temp%
screenshot_time
60
startup_value
Google
take_screenshot_option
false
take_screenshot_time
5

Extracted

Language

ps1

Source

URLs

exe.dropper

http://cothdesigns.com:443/KMS_Tool.msi

Targets

- Target
  
  8e34dbf3bceb9c9cf22f32ea7d870be4
- Size
  
  149KB
- MD5
  
  8e34dbf3bceb9c9cf22f32ea7d870be4
- SHA1
  
  d9cd6c07ee134e10b179821808f617cdf2dc810b
- SHA256
  
  74b1f33dc283a64df996251ad950a1c8bdba5ab77da45c97233972d2a8c17056
- SHA512
  
  3ccb54fdd4dff867a760c11b94f147b503ffd015cd5d8ee11a86f6afa0cfb3fe3507420bf5d94ee85f7c6773e0aa58084b83b142aa54cf9baea4824438143b47
- SSDEEP
  
  3072:J90Eg7YOC0q0vGBYovRDlDybNTPCtRqFvYs:1gYtvJDlmbRX
Score

10^/10

remcos 220825 persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds policy Run key to start application
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Targets

Adds policy Run key to start application

Blocklisted process makes network request

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2