remcos | f3b1d24ae8b5e245c9806b0c67ff1f7f93f5b86d639f5914a4a2b8dce22484e6 | Triage

Sharing

General

Target

List of suspected clients.zip
Size

3.0MB
Sample

240314-xvj2jsce5t
MD5

ff7debddc5a14ccd782628ac5f3ab9ce
SHA1

dbdba4601c0b3839f50b8c0f058853fe5b49e903
SHA256

f3b1d24ae8b5e245c9806b0c67ff1f7f93f5b86d639f5914a4a2b8dce22484e6
SHA512

a36ae6684bdbcb23ae7f4f150b5e46fb3d476bf424a379687ff3989a5d547443c860d2d4fbaba6d6b8fe90e61f49cf0c0a081f22341fab57d3c3364931f3e5be
SSDEEP

98304:kD1XxrgzYHflm+P8J481dx30uBb+VS9uyRv:WhrWYdm+Ef3L+VQR5

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Version

4.9.2 Light

Botnet

RemoteHost

C2

66.154.102.133:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-W6WVSY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  List of suspected clients/List of suspected clients.lnk
- Size
  
  2KB
- MD5
  
  58b6ff581948616b8f85dde8ca871e34
- SHA1
  
  58a9ae3d9d810feb6895804331a9ffcc4d0396f6
- SHA256
  
  7f621f8e117be1a9574709ac89d3abcdca2956b85ce2ee7b3169b0458366899d
- SHA512
  
  13d92ae7f4f77d1b87bdb73fff7266c87128faef905f09d9559505d5f086943310e1262844239defeeeb33e97df00d39ff7c2a7574023cc2235321e6150535e6
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  List of suspected clients/WCLDll.dll
- Size
  
  590KB
- MD5
  
  9005812bebfcc98db95def5b1c9b96f0
- SHA1
  
  d85f085c59fe8cca75352399ebc8510e2799bf68
- SHA256
  
  8acf6eea851ccd43a33eee9840794b9944eed61e5be0a7c403b79d3baa48940c
- SHA512
  
  c25c4eaef2d40d5294fcd2b15f3065cb3c6cad19cc5c32da4a81b20d99023dbfcccfa5fbc2d79f45892f7d858c04d956f1734d0359054fae9e609a5d604ab0b1
- SSDEEP
  
  12288:i+Se970XqzxUmUkVakh1d4wJjfXB7w86ywKUc6A9iSOJ7zP8cl7ksEjwdA9iOaQ:ce97qqzxXUkckh1d4wJjfB8vywKUc6A7
Score

1^/10
behavioral3 behavioral4
- Target
  
  List of suspected clients/moorefiles.pdf
- Size
  
  460KB
- MD5
  
  57ac3e59f69c27ce269a55e5235ee663
- SHA1
  
  dc747d32c947b085230e5b4abe72f7152ae404da
- SHA256
  
  54dcece696a9ac3ac7775233f1419e9ad098acafa98a8808759412a6423c2d6c
- SHA512
  
  0724dbbc27967e01cfeddeb423681b80023120a27c3cbb9367321d809b0e711bdf9b4358ca58413d06007fa80eb2df0bd0a5327fc6722ef5ecbda67c14194c3a
- SSDEEP
  
  12288:ZibjASKfqVPDsHtf2tLk2/oxwFsw5xNdNu1ITgfusIszh7C3Wv78:epKfqZDsAi2CwFsH1Y1sIsgW8
Score

1^/10
behavioral5 behavioral6
- Target
  
  List of suspected clients/msvcp140.dll
- Size
  
  427KB
- MD5
  
  71a0aa2d05e9174cefd568347bd9c70f
- SHA1
  
  cb9247a0fa59e47f72df7d1752424b33a903bbb2
- SHA256
  
  fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
- SHA512
  
  6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a
- SSDEEP
  
  12288:bBsEzAVPIODrCdVgI7bwv674dOzhUgiW6QR7t5s03Ooc8dHkC2esy2n:9s8AVwOU7bwTdt03Ooc8dHkC2en2n
Score

3^/10
behavioral7 behavioral8
- Target
  
  List of suspected clients/ptMgr.dll
- Size
  
  2.5MB
- MD5
  
  2087eb2d3fb639933ebe0a0614fd5218
- SHA1
  
  c1a1b75c8e76e000b7045092bd11100904a72840
- SHA256
  
  725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f
- SHA512
  
  3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e
- SSDEEP
  
  49152:LvSyYrklCgEFFKYy3Hlll43MkyoYh0iXGu2B1BIthEjlI0UZhQZZmRvCH:GEkglDlH1VZ0uGu2lIQ
Score

3^/10
behavioral10 behavioral9
- Target
  
  List of suspected clients/ptSrv.exe
- Size
  
  202KB
- MD5
  
  64179e64675e822559cac6652298bdfc
- SHA1
  
  cceed3b2441146762512918af7bf7f89fb055583
- SHA256
  
  c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
- SHA512
  
  ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280
- SSDEEP
  
  3072:EMtKztOp6KfOQqoY3ltdNjlcwsSdplkrxf+Uyecgw:ELKfOQLY3l9jlcwnlUf+z7gw
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of SetThreadContext
behavioral11 behavioral12
- Target
  
  List of suspected clients/ptusredt.dll
- Size
  
  165KB
- MD5
  
  3c3e960d59cb413791fee1e944b6df72
- SHA1
  
  4aa6c90d81692642ca8266bf0d8e249ff3e3ad54
- SHA256
  
  88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
- SHA512
  
  85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac
- SSDEEP
  
  3072:Ze0HJrRJW9+tjxQGsfzeV0YuNmu5uWj5ONq/1epLcv60H9+v:8SrRJGeNsry0hmuqRoy0H9u
Score

1^/10
behavioral13 behavioral14
- Target
  
  List of suspected clients/vcruntime140.dll
- Size
  
  81KB
- MD5
  
  16b26bc43943531d7d7e379632ed4e63
- SHA1
  
  565287de39649e59e653a3612478c2186096d70a
- SHA256
  
  346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
- SHA512
  
  b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc
- SSDEEP
  
  1536:BDpX0WKXQn6s8/oB6xMSKgS9WnESDPIYMWC/q6mYIeTsu03/huecbFWzZoi:BF0ZQnm/oBab8y6mfe0vhuecbFWzZoi
Score

3^/10
behavioral15 behavioral16
- Target
  
  List of suspected clients/wbxtrace.dll
- Size
  
  103KB
- MD5
  
  530af153319a8254261d2de81b40cfe7
- SHA1
  
  63c7fb08e4dfe1e1cbd40a0fb333472822daa60a
- SHA256
  
  098e8c03cfb1bc11bd7176326a36d07d1dc282f5acd78a272289afd16b7506b3
- SHA512
  
  6a5998ffa86813d2825811ae9ebe2b5f43b26d02aae73395d720c83f89820af2006a93737356b138a5d736f2364a60abed5195692d58bf1866727727ab654805
- SSDEEP
  
  1536:3AIwJ6nSNBZVPzq8HpWt6/wemSMUQnToIf2T9U/huhAmJ8dDUfH:3jSNBHUt6/wgMUkTBf2hU/huhFJwM
Score

3^/10
behavioral17 behavioral18

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

remcosremotehostrat

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

remcosremotehostrat

behavioral12

remcosremotehostrat

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18