remcos | 4cb15f4e611f8c409972d839bf3ac9981be532d943ce81540bef9c8ec4d625e8 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

84bc6db05795a6f48d1d92e6ccdcda3a.exe
Size

2.4MB
Sample

221027-qv8lkscdar
MD5

84bc6db05795a6f48d1d92e6ccdcda3a
SHA1

e277861b5c566d0d642065febc5bb875e600bc5c
SHA256

4cb15f4e611f8c409972d839bf3ac9981be532d943ce81540bef9c8ec4d625e8
SHA512

a3f047c3a364ec7d420315f4954ddd86f4ded5e190e693299ba35b1fca18d5b0c7575f4588be8084c8ad4fef4fe4edec669bc5405339725003141be872b07d01
SSDEEP

49152:RcO4zc6c0a+QTaS39DSTrF4JVmfcO4zc6c0a+QTaS39DSTrF4JVm:Rn1dn+QTaS39Du4JVGn1dn+QTaS39Duk

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.93.189.85:179

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
profex-I2BMH9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  84bc6db05795a6f48d1d92e6ccdcda3a.exe
- Size
  
  2.4MB
- MD5
  
  84bc6db05795a6f48d1d92e6ccdcda3a
- SHA1
  
  e277861b5c566d0d642065febc5bb875e600bc5c
- SHA256
  
  4cb15f4e611f8c409972d839bf3ac9981be532d943ce81540bef9c8ec4d625e8
- SHA512
  
  a3f047c3a364ec7d420315f4954ddd86f4ded5e190e693299ba35b1fca18d5b0c7575f4588be8084c8ad4fef4fe4edec669bc5405339725003141be872b07d01
- SSDEEP
  
  49152:RcO4zc6c0a+QTaS39DSTrF4JVmfcO4zc6c0a+QTaS39DSTrF4JVm:Rn1dn+QTaS39Du4JVGn1dn+QTaS39Duk
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

remcosremotehostrat