remcos | 8a0a6222211f0a83491ab63a17e31dd91567d51b2547009eaabbbd30a23fd696 | Triage

Submit
Reports

Overview

overview

Static

static

c5706b81a1...4.xlsx

windows7-x64

c5706b81a1...4.xlsx

windows10-2004-x64

1

Sharing

General

Target

8279478571.zip
Size

692KB
Sample

221103-st5jmsebcn
MD5

0a36838ccafa9286678c1790df105fb1
SHA1

8b67c45cc532d03b5596bea4edbc80f5b4039495
SHA256

8a0a6222211f0a83491ab63a17e31dd91567d51b2547009eaabbbd30a23fd696
SHA512

02919f1be1e8799f605676c89bf049314fff85f904e1d2f3c53633b2bc98f2e84338871cdf8fd854ef8410f1588920530ad96cd61c25e5d61d5830e6607e1177
SSDEEP

12288:pvNCr8OoUzYbEmnb66YwxhAmxU7G6vrgOnsCE8IGlgku7tgSyaCBBSW0K:pALYbnO6Bhl6vrgO02Zu7tKnSWj

Score

10^/10

remcos xp persistence rat

Static task

static1

Behavioral task

behavioral1

Sample

c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044.xlsx

Resource

win7-20220901-en

remcos xp persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044.xlsx

Resource

win10v2004-20220812-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

XP

C2

xpremcuz300622.ddns.net:3542

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
oos.exe
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Remcos-MMP2I7
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
kkl
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044
- Size
  
  694KB
- MD5
  
  259f46d30a2b6c8da678ce7fe4c3c679
- SHA1
  
  d9a430f7ff1e8b0ee20f80b4299e4b99776732c0
- SHA256
  
  c5706b81a1d2ee066776d358fe683c9cbf853ef3fb0ef0f8a7d86b0f84ff3044
- SHA512
  
  ec5ce338192c414fd79a1c0c936b774c92ddf87e1d7aa06fc20a2571eb006675b74101ddec7b6e5eea95298e1a1a3279a89037a4a35699cfb51159d071e759eb
- SSDEEP
  
  12288:mZknhVXxqZDzMqkOm4jsEUxkGpv2NhmLCE8XPQQkdH7pX4s2z1p4db8fdhQS:maTMI944EUxkyAhKC75ybpI9z0b+d+S
Score

10^/10

remcos xp persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosxppersistencerat

behavioral2

© 2018-2024

Terms | Privacy