remcos | e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

fa106001a7...0f.rtf

windows7-x64

fa106001a7...0f.rtf

windows10-2004-x64

1

Sharing

General

Target

fa106001a7cf2deb09192898ba82b50f
Size

25KB
Sample

230313-pwet8aad38
MD5

fa106001a7cf2deb09192898ba82b50f
SHA1

d472611b9c4185f4dad80143c6c46cb3a3047779
SHA256

e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057
SHA512

16ea979dc9850ae3ef7e4540070da3db3da4c046832b3b6efbd14c1a335082788e3995e6693e1e1c965cc8d0b7c9ec60b13f2720dfd6b9f03ac415506966dfde
SSDEEP

768:LEohQfFWWeZqbo8PC6uucJIOFMzGcAYl+CxjfbsredELLyxWlN:IoheWnIKIicYC16rLaWf

Score

10^/10

remcos remotehost rat

Static task

static1

Behavioral task

behavioral1

Sample

fa106001a7cf2deb09192898ba82b50f.rtf

Resource

win7-20230220-en

remcos remotehost rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

fa106001a7cf2deb09192898ba82b50f.rtf

Resource

win10v2004-20230221-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

vcv.mastercoa.co:8489

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-4IE8MY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  fa106001a7cf2deb09192898ba82b50f
- Size
  
  25KB
- MD5
  
  fa106001a7cf2deb09192898ba82b50f
- SHA1
  
  d472611b9c4185f4dad80143c6c46cb3a3047779
- SHA256
  
  e24f9280b453e5262a8f191193f4bf2c249273d30b32dd19e924e56f7e02f057
- SHA512
  
  16ea979dc9850ae3ef7e4540070da3db3da4c046832b3b6efbd14c1a335082788e3995e6693e1e1c965cc8d0b7c9ec60b13f2720dfd6b9f03ac415506966dfde
- SSDEEP
  
  768:LEohQfFWWeZqbo8PC6uucJIOFMzGcAYl+CxjfbsredELLyxWlN:IoheWnIKIicYC16rLaWf
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Exploitation for Client Execution

Scripting

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

© 2018-2025

Terms | Privacy