remcos | 338c23abbf9f4d792d9bac20f519c89fafc6d340dbfd7afea56ebb5ea8f449b5 | Triage

Sharing

General

Target

16594936431.zip
Size

17.5MB
Sample

240411-aq84jsad2y
MD5

0362ad6a6be944da935487b6990fd1fd
SHA1

7d34e49e19cc79819b057dfe05cd90eb33c37342
SHA256

338c23abbf9f4d792d9bac20f519c89fafc6d340dbfd7afea56ebb5ea8f449b5
SHA512

ca05a5ba60aa55e81e7530b415bd3bd27cd87de22f8bd858acba5f9b059168372968b2effd96b4db1a4c7dec240df43ede906f666f00fe897320a393808ce5a0
SSDEEP

393216:NAryVUxcxFoIX68OAihvanABecJJULa/3kKopJWa0:NdUyxFoN8OthvanAIYO+/+pJWr

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

ogbatobanana.duckdns.org:4047

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-0R92B3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233
- Size
  
  150.0MB
- MD5
  
  3ceefa7bd30b2b5494c2cdb64342835c
- SHA1
  
  ef4cad7600788cc696cec53480dcfb67a5143adb
- SHA256
  
  e8eb6be89b47c2c5f4b61da460ae6c6d6bf150869624ad487df74b0d80351233
- SHA512
  
  a3f88fae400037427d3068d583317c08132ff936c21c3fa38a97afedb9b614302228903973ed3aa8b41fb266f5e1aa3c7550ce4b4653ea9d4b1c06a0c350880f
- SSDEEP
  
  786432:7UP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRp:7UP7GCG64Srkx1hSzYsHQD3t/R
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostpersistencerat