remcos | 4ef5bfe39def9251390590c41974d579bb0a8126b107375b1e3e91d17c792f60 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

sosihuj.bat
Size

36KB
Sample

240127-v715gsagap
MD5

5d3b89b5a3e73badd8f4a150672ca093
SHA1

3dd5963d0c52ac3c3fec47fd4f3405f6bbffd12e
SHA256

4ef5bfe39def9251390590c41974d579bb0a8126b107375b1e3e91d17c792f60
SHA512

141a9636845770b3fea2cedbe4c74359a466dd0d85ac28f7b30d2cb841e569becd410ad27ed31a6b9dadbdb055c4c54c47fab3c3ee5d8fce85db4f0daefb67b5
SSDEEP

768:6NnmZ/8vPlLUdhfJ8v6utFpVsOHjPgpG5IXi7D113r1:snwu4DejVdiG5Vhr

Score

10^/10

remcos dlscord collection persistence rat

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Dlscord

C2

shall-someone.gl.at.ply.gg:60408

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
10
connect_interval
5
copy_file
Bin.exe
copy_folder
Factorio
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%SystemDrive%
keylog_crypt
true
keylog_file
driver.dat
keylog_flag
false
keylog_folder
keyboard drivers
keylog_path
%WinDir%\System32
mouse_option
false
mutex
remcos_bfpmypnbrt
screenshot_crypt
true
screenshot_flag
true
screenshot_folder
Screen drivers
screenshot_path
%WinDir%\System32
screenshot_time
60
startup_value
Windows.Defender
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  sosihuj.bat
- Size
  
  36KB
- MD5
  
  5d3b89b5a3e73badd8f4a150672ca093
- SHA1
  
  3dd5963d0c52ac3c3fec47fd4f3405f6bbffd12e
- SHA256
  
  4ef5bfe39def9251390590c41974d579bb0a8126b107375b1e3e91d17c792f60
- SHA512
  
  141a9636845770b3fea2cedbe4c74359a466dd0d85ac28f7b30d2cb841e569becd410ad27ed31a6b9dadbdb055c4c54c47fab3c3ee5d8fce85db4f0daefb67b5
- SSDEEP
  
  768:6NnmZ/8vPlLUdhfJ8v6utFpVsOHjPgpG5IXi7D113r1:snwu4DejVdiG5Vhr
Score

10^/10

remcos dlscord collection persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
  collection
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Remote System Discovery

System Information Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosdlscordcollectionpersistencerat

behavioral2

remcosdlscordcollectionpersistencerat