remcos | 3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61
Size

904KB
Sample

240306-qezczabe6x
MD5

f41c63ec04a686dcd7acb8afe12a0a0e
SHA1

6e33557b27ab27b72cd7029d3db1f70f6cee2567
SHA256

3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61
SHA512

0eb2dabc2d4a0e04fedc42b35e83dff6a6d83d9ca5f265b12583be9e6690efa6f84cae577516475c98f523709119471a1172ebd2f8deb5840e6bdd79904fbf74
SSDEEP

24576:fsZM8GtqcVf77qoVnl9mhFW1eNV3O0yd0Zg7i:HnVf7WoVnl9oWV0ykn

Score

10^/10

remcos vps4 evasion persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Vps4

C2

192.161.184.21:24054

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
Rlog.dat
keylog_flag
false
keylog_folder
DrWin
mouse_option
false
mutex
Rmc2024-Q4AYK1
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61
- Size
  
  904KB
- MD5
  
  f41c63ec04a686dcd7acb8afe12a0a0e
- SHA1
  
  6e33557b27ab27b72cd7029d3db1f70f6cee2567
- SHA256
  
  3103ebb8576654b0f3ef393bb5c860e93fb69ab8400e01295b25b0f244b34c61
- SHA512
  
  0eb2dabc2d4a0e04fedc42b35e83dff6a6d83d9ca5f265b12583be9e6690efa6f84cae577516475c98f523709119471a1172ebd2f8deb5840e6bdd79904fbf74
- SSDEEP
  
  24576:fsZM8GtqcVf77qoVnl9mhFW1eNV3O0yd0Zg7i:HnVf7WoVnl9oWV0ykn
Score

10^/10

remcos vps4 evasion persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosvps4evasionpersistencerat

behavioral2

remcosvps4evasionpersistencerat