remcos | e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0 | Triage

Submit
Reports

Overview

overview

Static

static

1.exe

windows10-2004-x64

Sharing

General

Target

1.exe
Size

36KB
Sample

230218-sp819sce77
MD5

955254331ec1b57550742ed9b353b00f
SHA1

3a00c062489de5371742bc5eca43ae8ec32affac
SHA256

e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0
SHA512

5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70
SSDEEP

768:P5PHyCjmhFdWfLubuZ1kvIaEekM2C8cZNr1:P5PHfjGPAKbLVUer

Score

10^/10

remcos 1877 evasion persistence rat upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

1.exe

Resource

win10v2004-20220901-en

remcos 1877 evasion persistence rat upx

windows10-2004-x64

15 signatures

30 seconds

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

1877

C2

hawler.duckdns.org:2404

5.206.227.115:2404

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
svshost.exe
copy_folder
1877
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%WinDir%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
1877
keylog_path
%AppData%
mouse_option
true
mutex
1877_spelzoyulk
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
Google Update
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1.exe
- Size
  
  36KB
- MD5
  
  955254331ec1b57550742ed9b353b00f
- SHA1
  
  3a00c062489de5371742bc5eca43ae8ec32affac
- SHA256
  
  e088712c8943c56456635938bc9668f0ca0724086525de9dc736ae5e77ee17a0
- SHA512
  
  5e1aa13cf78fe3d6bfbc15eb2155dad30f0a6e6ea533df7f34ab06eb85ab87fa225c313753fc1886770c9990f2e87400fbfa7bea9a557f9f2acec8d3481b4d70
- SSDEEP
  
  768:P5PHyCjmhFdWfLubuZ1kvIaEekM2C8cZNr1:P5PHfjGPAKbLVUer
Score

10^/10

remcos 1877 evasion persistence rat upx
- Modifies WinLogon for persistence
  persistence
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Adds policy Run key to start application
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Program crash
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

Virtualization/Sandbox Evasion

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcos1877evasionpersistenceratupx

© 2018-2024

Terms | Privacy