remcos | 0f4d1dbae1cbb430bd201e362d7325a9a462de60d0fa04de4c3ef871de11248d | Triage

Sharing

General

Target

0936b7713936d51076fe77b8c8da04e0.exe
Size

846KB
Sample

221027-kfas4sbef3
MD5

0936b7713936d51076fe77b8c8da04e0
SHA1

110a96f1b5c12fd037d859893a24006f0fa3fd04
SHA256

0f4d1dbae1cbb430bd201e362d7325a9a462de60d0fa04de4c3ef871de11248d
SHA512

03dc8b87e52bde6b2b42ccd763c3c38ad5ffe3d15b3f9df347ffbff083373ed7ca7598698088c80e9559f7e749ab5bf38695ca1163c12ba9ae3a7ed1fc244c62
SSDEEP

12288:8Ho/fOuZ8LRDppurpXjit1hUYr10dBtyyGLosbYE8f4VRn2Ar:wUGuZ8tDCRjizhbrW4pE0pVt

Score

10^/10

remcos oct 25th rdp microsoft evasion persistence phishing rat trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Oct 25th RDP

C2

gcrozonav.duckdns.org:4045

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
Microsoft Intel Audio.exe
copy_folder
Audio Microsoft
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Windows Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Windows Security Check
take_screenshot_option
true
take_screenshot_time
5
take_screenshot_title
Username;password;proforma;invoice;notepad

Targets

- Target
  
  0936b7713936d51076fe77b8c8da04e0.exe
- Size
  
  846KB
- MD5
  
  0936b7713936d51076fe77b8c8da04e0
- SHA1
  
  110a96f1b5c12fd037d859893a24006f0fa3fd04
- SHA256
  
  0f4d1dbae1cbb430bd201e362d7325a9a462de60d0fa04de4c3ef871de11248d
- SHA512
  
  03dc8b87e52bde6b2b42ccd763c3c38ad5ffe3d15b3f9df347ffbff083373ed7ca7598698088c80e9559f7e749ab5bf38695ca1163c12ba9ae3a7ed1fc244c62
- SSDEEP
  
  12288:8Ho/fOuZ8LRDppurpXjit1hUYr10dBtyyGLosbYE8f4VRn2Ar:wUGuZ8tDCRjizhbrW4pE0pVt
Score

10^/10

remcos oct 25th rdp evasion persistence rat trojan microsoft phishing
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosoct 25th rdpevasionpersistencerattrojan

behavioral2

remcosoct 25th rdpmicrosoftevasionpersistencephishingrattrojan