remcos | 17b4d4ca21f00476cc685afc5d3e50c05dee6cb254bed429993ee57750abf6be | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

Product Catalogue.exe

windows7-x64

Product Catalogue.exe

windows10-2004-x64

Sharing

General

Target

Product Catalogue.ace
Size

731KB
Sample

230320-kap1vace44
MD5

15df5f20d08886946782d1d4a6b47641
SHA1

b6292fd9e0577d3a7d939a7f99a60e2ae82722dc
SHA256

17b4d4ca21f00476cc685afc5d3e50c05dee6cb254bed429993ee57750abf6be
SHA512

83109024e16741f97d9a920d05a3d69030aad2ecc1708c4eb8d48309290c6619e06c313babdf8f991884114918035acb90d017725a58d6c4fce1778daa541472
SSDEEP

12288:+pC7NPGBbvw9fSdLU0sdry0R4AzVWQv4A7NT3PHU31gycYA6wzr89pS7ETEQJdZ:mCVGB2fSN8ry0R4EIA7hfetTw4TEe

Score

10^/10

remcos remotehost evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

Product Catalogue.exe

Resource

win7-20230220-en

remcos remotehost evasion persistence rat trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

Product Catalogue.exe

Resource

win10v2004-20230220-en

remcos remotehost evasion persistence rat trojan

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Product Catalogue.exe
- Size
  
  783KB
- MD5
  
  6b04befe5957d4a3513447ae0eadbcd3
- SHA1
  
  cdb2fa02b24118d0c501a4bf6479a57e9b941c3c
- SHA256
  
  4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921
- SHA512
  
  8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c
- SSDEEP
  
  24576:4PSxu2EYvZOwbfeT/FmkSYTU5Nb+Ca75Et:h4Yx1rW/F8D6Ca75I
Score

10^/10

remcos remotehost evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Bypass User Account Control

Scheduled Task

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostevasionpersistencerattrojan

behavioral2

remcosremotehostevasionpersistencerattrojan

© 2018-2025

Terms | Privacy