remcos | cefa523cb435720c81c933c07f02f2c3f09979228b8d6a43309724892f335ee0 | Triage

Sharing

General

Target

cefa523cb435720c81c933c07f02f2c3f09979228b8d6a43309724892f335ee0
Size

906KB
Sample

231012-p7f7esch89
MD5

1049d7dddfdbba574c041fae2cbbe326
SHA1

0066ecf82a2560a64b7424c9471663f04669fa15
SHA256

cefa523cb435720c81c933c07f02f2c3f09979228b8d6a43309724892f335ee0
SHA512

12babd6d6c04dd7601730549183668fa87a902b8b723c44553378ad10ffca3c1d5ef78bc44c9ff608173c9878476dad72d70db6a61dfe5054e6e588bac5b1167
SSDEEP

24576:XgLzfHoRAzX/Y/uLyHK/VKFP5ZO8YgdCt3ufQbn:XgLbIRK4fQGFdW3IA

Score

10^/10

remcos throttle rat

Malware Config

Extracted

Family

remcos

Botnet

throttle

C2

141.98.6.9:7044

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-LCB1D9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  PO350.exe
- Size
  
  994KB
- MD5
  
  8ba1b9dc62b3e8a9f8497a3d9e7eb015
- SHA1
  
  5b50af2c3a45c6a91836bd4010cc3ea561d90114
- SHA256
  
  5ad0bc2bae216bee7b9516d71f673ae773f7467eac446b0f44d963d5af5d574e
- SHA512
  
  6e00cda3a3e10105e525e0fe8dd9764cba72c4ce3ac393b61d499706db854d65967cd628970b4f38db6b93086dd62ed3e4869efc900151b2ccf2d0e4a886b375
- SSDEEP
  
  24576:lTfX1FUHIzmPkc/kvP3g6TP5ZOyYg3Cnp6B1c:lT/jUozKkUkvvHL3upOc
Score

10^/10

remcos throttle rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosthrottlerat