remcos | f236ecc5c743637f451083feddf683834e3725abffac09a60adb686348b21558 | Triage

Submit
Reports

Overview

overview

Static

static

1

FDD-12164 ...5.docx

windows7-x64

FDD-12164 ...5.docx

windows10-2004-x64

Sharing

General

Target

FDD-12164 - Ref. no. FPSD-46945.docx
Size

1.7MB
Sample

230831-gsbpdsda81
MD5

58d7b56383c39df07322fef108a8b0f6
SHA1

5b0731eb50b808a990174d1e38cdf29854d52856
SHA256

f236ecc5c743637f451083feddf683834e3725abffac09a60adb686348b21558
SHA512

ccbc3233ba093471568eae8e6559dff14055a9a427a60355a1159a2f6daf06f8363a8990388e51bc1ec611857ea0ec2079c8800ef5c96529e76a09c6f5dc96df
SSDEEP

49152:pX7vgOtGReTU5wFk2M296HnvYk3oV4fSPyfuy0oh/:R7I6GVH2M1ngqoVry0M/

Score

10^/10

remcos generall persistence rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

FDD-12164 - Ref. no. FPSD-46945.docx

Resource

win7-20230712-en

remcos generall persistence rat

windows7-x64

16 signatures

150 seconds

Behavioral task

behavioral2

Sample

FDD-12164 - Ref. no. FPSD-46945.docx

Resource

win10v2004-20230703-en

remcos generall persistence rat

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

GENERALl

C2

one.dmi.cloudns.ph:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
chromee.exe
copy_folder
chrome
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
dat
mouse_option
false
mutex
Rmcuhjk-ULEWAC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  FDD-12164 - Ref. no. FPSD-46945.docx
- Size
  
  1.7MB
- MD5
  
  58d7b56383c39df07322fef108a8b0f6
- SHA1
  
  5b0731eb50b808a990174d1e38cdf29854d52856
- SHA256
  
  f236ecc5c743637f451083feddf683834e3725abffac09a60adb686348b21558
- SHA512
  
  ccbc3233ba093471568eae8e6559dff14055a9a427a60355a1159a2f6daf06f8363a8990388e51bc1ec611857ea0ec2079c8800ef5c96529e76a09c6f5dc96df
- SSDEEP
  
  49152:pX7vgOtGReTU5wFk2M296HnvYk3oV4fSPyfuy0oh/:R7I6GVH2M1ngqoVry0M/
Score

10^/10

remcos generall persistence rat
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosgenerallpersistencerat

behavioral2

remcosgenerallpersistencerat

© 2018-2024

Terms | Privacy