remcos | 24fff69c10fab0262c3545b095aefe20db7e851255ba8f63b4043ce5d312965e | Triage

Submit
Reports

Overview

overview

Static

static

1

bd0366e241...5.docx

windows7-x64

bd0366e241...5.docx

windows10-2004-x64

1

Sharing

General

Target

RO10098.docx.doc.rl.zip
Size

291KB
Sample

230609-dfeczaah27
MD5

644fe104a50241352ce1fdc7ca0441b0
SHA1

849a02166c9a9a302dd8660cba1701bc8c4d1dba
SHA256

24fff69c10fab0262c3545b095aefe20db7e851255ba8f63b4043ce5d312965e
SHA512

c2db98675a70f554f1b52854eec4fe7cbee3e9c31ca586964976bb4466dcc380fef9c61c61e75dd9d5ccebf3363a0572a9792b53e062ee7f887503bc7be1e619
SSDEEP

6144:RN5atZ1RXQnl81JkVsBINs5eK9U4zOu/lpW+Ta5Uvk6pfE4sC2+ltO7/s:RN5atea1JkVpsr3OypHaOxJE4saltO7k

Score

10^/10

remcos remotehost rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

bd0366e2416de0fa75b77414b82f31e7ede37255.docx

Resource

win7-20230220-en

remcos remotehost rat

windows7-x64

17 signatures

150 seconds

Behavioral task

behavioral2

Sample

bd0366e2416de0fa75b77414b82f31e7ede37255.docx

Resource

win10v2004-20230220-en

windows10-2004-x64

5 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

pekonomiana.duckdns.org:30491

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EORWFM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  bd0366e2416de0fa75b77414b82f31e7ede37255.rl
- Size
  
  292KB
- MD5
  
  473b3909e911de8c27ab621986c02d0e
- SHA1
  
  bd0366e2416de0fa75b77414b82f31e7ede37255
- SHA256
  
  5564cb2776b7336df157a5d8133543aa7a55c59550d9c8095f660e9945f4d93f
- SHA512
  
  bb41b10cc26a8426beba8285488a99898cd9b4a7a7e4abe4c99bb29444b3a4af3b72238fb7e0b7dd17741931a057edc834345d0da79a738e2817579306404cd4
- SSDEEP
  
  6144:yi7n5JRXQnl81RkVsBIPs5eK9U4zOu/lpW+1a5Uvk6pfo4sCy+ltOOCr0:yi75Ya1RkVTsr3OypRaOxJo4sUltOtr0
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Downloads MZ/PE file
- Abuses OpenXML format to download file from external location
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

© 2018-2024

Terms | Privacy