remcos | 42e9454763fcdfe8994cb219ea2f38a71249be92f47bcf6047cfae997b0a46ca | Triage

Sharing

General

Target

df0dfed7d9bb8ffc5ac307ef14dd86ed.bin
Size

273KB
Sample

230816-cvmgfsed93
MD5

399807473e4283d583609825c32eace9
SHA1

a836c4c3841f3ad06ff15683c92fc959ea0ebda7
SHA256

42e9454763fcdfe8994cb219ea2f38a71249be92f47bcf6047cfae997b0a46ca
SHA512

e9e54395fa017b3c7bfe90a5d6e06f2cf603ff9a20439d82369debf99020eb74c9b85b6748f4e394c4b3c69f10e9b3bcdba0eebb21cd85dab077f95204acda07
SSDEEP

6144:PN5YZQ8oeMIYv0GXVGqZmTJkDtUaZLzuFXPl0JM1Mm20SgG:PNyQZKYVGclhPzQflwM160e

Score

10^/10

remcos logs persistence rat

Malware Config

Extracted

Family

remcos

Botnet

LOGS

C2

23.19.87.242:1987

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chromes.exe
copy_folder
chromes
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QBX5A0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0.exe
- Size
  
  338KB
- MD5
  
  df0dfed7d9bb8ffc5ac307ef14dd86ed
- SHA1
  
  ecf99b4bae23c5a2da6866fe20ca86a1a3bec012
- SHA256
  
  087660dc2a6b875e634ec97e02989bda25dacd024de28c35bcf0597c654046e0
- SHA512
  
  d903253529677775d8e58ed5405366ca5dbc04f781e99d5ba1d0ab38ff1c3e4296e4fa7b4042bd38b62eac6fb9c260d9b16e324294205d0cc4aceb6ec92d3228
- SSDEEP
  
  6144:cmOPKXTWo8aBPyT2PvEIOzalVa0vjntlcrjDpWgs/oiTrVYdHjKHnLXmfIEM:zSo8aBPk2nEhelRTtlc3D8gkoiL/
Score

10^/10

remcos logs persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks QEMU agent file
  Checks presence of QEMU agent, possibly to detect virtualization.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcoslogspersistencerat

behavioral2

remcoslogspersistencerat