remcos | fdf9b8a9bb4b5c3c05290c2687a22b05c3f3ce41800194ffc0a9485fdad307bc | Triage

Submit
Reports

Overview

overview

Static

static

5

z43FAC98656700.exe

windows7-x64

1

z43FAC98656700.exe

windows10-2004-x64

Sharing

General

Target

z43FAC98656700.CMD
Size

1.6MB
Sample

240113-pr4yjsbbh6
MD5

5daa7319b2aaa040d63ba9075ce08d72
SHA1

410df93e347a277922528daf4aacd09dc301dd59
SHA256

fdf9b8a9bb4b5c3c05290c2687a22b05c3f3ce41800194ffc0a9485fdad307bc
SHA512

cf869b9abc6ef55a10765ef77d0dc34ec44e614991a881216ba5eac7491c118e578d585dd5835b1eaf24a2812143ccaf7d655bc8a5ae965b9ceb44c91ab5fcc3
SSDEEP

49152:oTvC/MTQYxsWR7aKHgqKs31lHJ7MLdNXAcvYVzl04s8Z:gjTQYxsWRNHgqKs31lHJ7MBlxYzeI

Score

10^/10

remcos pc persistence rat

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

z43FAC98656700.exe

Resource

win7-20231129-en

windows7-x64

0 signatures

150 seconds

Behavioral task

behavioral2

Sample

z43FAC98656700.exe

Resource

win10v2004-20231215-en

remcos pc persistence rat

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

PC

C2

107.175.229.139:8087

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-X5MJYU
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  z43FAC98656700.CMD
- Size
  
  1.6MB
- MD5
  
  5daa7319b2aaa040d63ba9075ce08d72
- SHA1
  
  410df93e347a277922528daf4aacd09dc301dd59
- SHA256
  
  fdf9b8a9bb4b5c3c05290c2687a22b05c3f3ce41800194ffc0a9485fdad307bc
- SHA512
  
  cf869b9abc6ef55a10765ef77d0dc34ec44e614991a881216ba5eac7491c118e578d585dd5835b1eaf24a2812143ccaf7d655bc8a5ae965b9ceb44c91ab5fcc3
- SSDEEP
  
  49152:oTvC/MTQYxsWR7aKHgqKs31lHJ7MLdNXAcvYVzl04s8Z:gjTQYxsWRNHgqKs31lHJ7MBlxYzeI
Score

10^/10

remcos pc persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

remcospcpersistencerat

© 2018-2024

Terms | Privacy