remcos

General

Target

4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.zip
Size

729KB
Sample

230321-r4pqhabd87
MD5

232db5b798002ed8c901b59572e87e7e
SHA1

6053ed5eccd8b0dedecd96cf74d3ea89f4d33eb4
SHA256

b19df7d566b7e9fa96062f6d99f6b2218af7a702024c3f182fba10739a2516af
SHA512

042619e4540528476912576484f528a5041bbbf27eef91b9d01d916eea439a1dc4ec03a012e5cc0149898ee3f0f07df333c8b37c18e97221fa04a99fd9512265
SSDEEP

12288:LNXcRahYL2ZB0GPoGUIJa/bmyDtrFmwqL5j6CBOKFvA1j5jnJ:LNsMhYL2zrUIUjmetBmwK5j65KFvA7J

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

51.75.209.245:2406

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-52YOYG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921.exe
- Size
  
  783KB
- MD5
  
  6b04befe5957d4a3513447ae0eadbcd3
- SHA1
  
  cdb2fa02b24118d0c501a4bf6479a57e9b941c3c
- SHA256
  
  4b54075f2a8e292530e7741ed3e2da8f0ba10a3936fe3642e651e7d6fbb10921
- SHA512
  
  8754b20c2a1a762b3a945fd4c6035380ac38bb03ea5541a0dcdc2d011746ec5d37323693b0df2649aa5df91315f7f8764b0215155205c666876200c58df50b1c
- SSDEEP
  
  24576:4PSxu2EYvZOwbfeT/FmkSYTU5Nb+Ca75Et:h4Yx1rW/F8D6Ca75I
Score

10^/10

remcos remotehost evasion persistence rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Uses the VBS compiler for execution
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2