remcos | 5bd0dcbb3a410bb960bf18b3cc3d81ddff8205d2a372cc69ebb6e67306a9ec65 | Triage

Sharing

General

Target

16148109750.zip
Size

22KB
Sample

240322-h5lksshh37
MD5

0eb10cf91cc83e923f91ed0510fb6938
SHA1

d1280fc530ca0a0fe8d00c3ba19f5ab511e93655
SHA256

5bd0dcbb3a410bb960bf18b3cc3d81ddff8205d2a372cc69ebb6e67306a9ec65
SHA512

8608ed92e4283206e213b675fc59a1245490db3289fc98235ca54f2d61b943147bf2eea091c71f60c301205826b50be2c512f12241299cafd2684b5a5ff7469e
SSDEEP

384:b/s09MzxBEgLAbo4J9I95Yg0b+OLVOesUsp0stUVoluv4dTwJr4c2XPxO:H9MV5A+0alp0Uwv4loCE

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

newerra.duckdns.org:2445

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-QDIYCC
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  19faf5c8943d20578a22df34f949176bd39e712ad1709fbc26a58fdf16cf0571
- Size
  
  75KB
- MD5
  
  e6b9844a0a45ab8d2c2434cbe7ed7165
- SHA1
  
  51d1401902d659273128b4e1d65c1619b6c254fe
- SHA256
  
  19faf5c8943d20578a22df34f949176bd39e712ad1709fbc26a58fdf16cf0571
- SHA512
  
  d3a83e93b005765f9dc11d1c5a699a26382f2e0d91bc4a4036554edc31902411f8753c48f895beba068e3bf495b2223c4b246e7f004ec7fea89fd381192a47b6
- SSDEEP
  
  1536:V7RWJSCBBhMtPTy2O37H4YMG546I2PZVhtGx9xK4bHC2FkB/fEqcvxIB515+Tkg:9eLBMtPTy2O37HTZ46I2rhtGx9xVr2Bs
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Deletes itself
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostpersistencerat

behavioral2