remcos | e36d35be30970f252939be9d5a1cd64181cfef9b1181ac5638e42ff9c5d25090 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

TNT Original Invoice.ace
Size

913KB
Sample

230921-psckpaaa38
MD5

cf338a9ab62c7280af2ba09bc0696959
SHA1

d05fc49456c7e54200412eac92319776a47de4c4
SHA256

e36d35be30970f252939be9d5a1cd64181cfef9b1181ac5638e42ff9c5d25090
SHA512

6517c6a12a59366050a6046d9de9f8be48591c749bf75072da8c1f6b42974a376081104a9da004dac7d68c40681c2582cecafbd814ef519f1c19ac4dd96ca7b2
SSDEEP

24576:j0Tq8Y4GPeqg28/cn1G5ttrSS9P92VLjYu:98PGPK28/SirjB2jYu

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

167.114.189.33:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7ZDF66
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  TNT Original Invoice.exe
- Size
  
  1014KB
- MD5
  
  27cd58c7d1c19c1fcb2c1ab4e9f7b53a
- SHA1
  
  f1d2b9e6a67b998ce0f960608c638b7628e9bb37
- SHA256
  
  b2fc36f6f4e72e2700737425abab14e4d75a190195c7cd8397cb9ae9761ec34b
- SHA512
  
  ed4aa3eb267a559194116754e015415f9ce88cbb9e6ba4bf2a27b057c960cb602778d8378d0ac1ef8cc5061a83f202cb6096d58b0c402ada43ea10060760a44b
- SSDEEP
  
  24576:v1XEWqsbMdJHWC1o2rb3BGqFX2cKdNw/bMo7:vpvqs4fHW+FtFXsdG/bMo7
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

remcosremotehostrat