remcos | 224d4aca2fb5aa52b10f43f36255fe026bbb7b772c1562771a8b9978cdf605de | Triage

Sharing

General

Target

Photo_Eva_Elfie_Album.zip.7z
Size

956KB
Sample

220923-hv712sddf7
MD5

a057443ad87ac7cb0d5e1fa10115f0fb
SHA1

b6965ce5dceeed1b178865468858586e32f84daa
SHA256

224d4aca2fb5aa52b10f43f36255fe026bbb7b772c1562771a8b9978cdf605de
SHA512

144fc76c5bdb7121e7a3ae1ef7e5e1040313a942cf2ee01deac74cec554227610ba1daf6825aff37fb5bc7b7b77823b7c9f1275927bd5431b344412aa6f8a6a6
SSDEEP

24576:3XxADxr7uw3+ylBuXtS+aYjaCV8nVHVe0/+ayecwspzQ3GHHu:3XKDFu2+fXkvYjaaAVHVb+ayeDspM3

Score

10^/10

remcos 2023 persistence rat

Malware Config

Extracted

Family

remcos

Botnet

2023

C2

141.95.84.40:3030

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
AIECWOAJOWOAWVWAV-3MOAQV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  '
- Size
  
  621KB
- MD5
  
  60da13ec9fbd16ff328e2521e8dd4191
- SHA1
  
  2e0048bc0143e8586dc2d7b84c252875ab9e0e4f
- SHA256
  
  b101859a33b07bc3270dc58a5270e9d574f4bdc655e57ed68b7b78e93b1abf02
- SHA512
  
  4e9b7d7c978d19ffcbf07d734129d2588b63d530de902660fa6e21641eb0946026db12b3aeba51d63f61b5bda76b853cc94b50a8e1a37dc73fc0fe9a356cc89c
- SSDEEP
  
  12288:XLS5VP601MkFnLtQvD9OAftXdhzwHJem7OzwHJe1sx:X25kcJWvROAftXdlwpemIwpe6x
Score

1^/10
behavioral1 behavioral2
- Target
  
  Photo_Eva_Elfie_Album.vbs
- Size
  
  4.0MB
- MD5
  
  46dc4877fd6f2dff2449f8dfbb0e25fb
- SHA1
  
  d819365cdcba1ee1e8ca86014ee31a17479124e3
- SHA256
  
  8df0f81f4b522c8338864c4165bf9754ab91d5c130122d336fc59c20ffcf4d30
- SHA512
  
  5ca664e4c35682f1611fc4269b7b0c137c3f1430e50f02eb233c5e20bf7d57d2a582bef742fc96a33d09f62db42fae918752d4678314fcf66091f194f705f57f
- SSDEEP
  
  12288:XwwwgggLLdddiTiirJrc0INNNN4NnWMphAE7ubBrV+gTwQ00hIG2AxVliB1Tz21I:AWaiwIvbwX3Gg
Score

10^/10

remcos 2023 persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Registers COM server for autorun
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

remcos2023persistencerat

behavioral4

remcos2023persistencerat