remcos | 4ff54bc771dc97403996794c50ded1a97b000c3f6eeff64afe3d049735e6bcdc | Triage

Sharing

General

Target

SecuriteInfo.com.Win32.PWSX-gen.17695.8177.exe
Size

863KB
Sample

231011-wglsjseg35
MD5

62304ab9ea09befcc17d78857c685533
SHA1

989d919493942e6da3809bf8c8c95945627797fe
SHA256

4ff54bc771dc97403996794c50ded1a97b000c3f6eeff64afe3d049735e6bcdc
SHA512

9e29ac63d6e9d260265126ab11e4ea6d2283f1ed34d1bfad76f4fec6e45cddd1574f5e046edc0811976bee3f15059c365deec07f0f9509e4505871d0272bc28b
SSDEEP

12288:RUgkR5725KtZs1L1fG+fzdX3mJwQlC6sDwhyxLU1KUT55/swI2J7Z3nFxecfSNcg:RUanF1e+bdXK1IegUbEwIoXmcB+yi1

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

167.114.189.33:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-7ZDF66
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  SecuriteInfo.com.Win32.PWSX-gen.17695.8177.exe
- Size
  
  863KB
- MD5
  
  62304ab9ea09befcc17d78857c685533
- SHA1
  
  989d919493942e6da3809bf8c8c95945627797fe
- SHA256
  
  4ff54bc771dc97403996794c50ded1a97b000c3f6eeff64afe3d049735e6bcdc
- SHA512
  
  9e29ac63d6e9d260265126ab11e4ea6d2283f1ed34d1bfad76f4fec6e45cddd1574f5e046edc0811976bee3f15059c365deec07f0f9509e4505871d0272bc28b
- SSDEEP
  
  12288:RUgkR5725KtZs1L1fG+fzdX3mJwQlC6sDwhyxLU1KUT55/swI2J7Z3nFxecfSNcg:RUanF1e+bdXK1IegUbEwIoXmcB+yi1
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

remcosremotehostrat