remcos | 16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce | Triage

Submit
Reports

Overview

overview

Static

static

3

16e9bc6afb...ce.exe

windows7-x64

16e9bc6afb...ce.exe

windows10-2004-x64

Sharing

General

Target

16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe
Size

884KB
Sample

240404-bltzhaag34
MD5

cb60f9802b22337e3182ff3045e848fa
SHA1

b3d29c2524c103e786e2a73c3dfdbe37b8e0ee28
SHA256

16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce
SHA512

bb7a9e679caa06f904eff2b4f08006d2cbeae03dfaa9e7a6b90e667040bedee607c8d147a16b56d5ecae99a11e0e9f6fdafc436f48867e12022198020f749be0
SSDEEP

24576:6OKGhEYdA9mPUiGZHQZcrOuP115OI7BN1:dKGhEYdAMfhSd155B

Score

10^/10

remcos remotehost rat

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe

Resource

win7-20240221-en

remcos remotehost rat

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe

Resource

win10v2004-20240319-en

remcos remotehost rat

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

91.92.244.17:2707

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-ZBS4C6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce.exe
- Size
  
  884KB
- MD5
  
  cb60f9802b22337e3182ff3045e848fa
- SHA1
  
  b3d29c2524c103e786e2a73c3dfdbe37b8e0ee28
- SHA256
  
  16e9bc6afb3e487749ffed54bace65bb58dd5257c66a0baef767d371eda437ce
- SHA512
  
  bb7a9e679caa06f904eff2b4f08006d2cbeae03dfaa9e7a6b90e667040bedee607c8d147a16b56d5ecae99a11e0e9f6fdafc436f48867e12022198020f749be0
- SSDEEP
  
  24576:6OKGhEYdA9mPUiGZHQZcrOuP115OI7BN1:dKGhEYdAMfhSd155B
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Detects executables packed with SmartAssembly
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Scripting

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

remcosremotehostrat

© 2018-2024

Terms | Privacy