remcos | 2e392a0fddd485b24600022bd5a5b99aa50d4104f7947afcd766f3627e06fc62 | Triage

Sharing

General

Target

16520114153.zip
Size

113.8MB
Sample

240411-aw7snsae6s
MD5

f6b5ccabd03578cbf00b5006cb9dd620
SHA1

36fd82507bc47496b82d8ccce99835a26ff72038
SHA256

2e392a0fddd485b24600022bd5a5b99aa50d4104f7947afcd766f3627e06fc62
SHA512

06653892bce2e933b27583502a3d95e8f73a96964583309ac7a1da6a5de142409de68021e87ba6258f52588a19ed9d7991f8f083604704c990ddfaddc75e43fa
SSDEEP

3145728:ytqafMvq3OGtC9i6Kk7fsSpoboZ9ZQx66aIKPpzxiaLWwP:UqaUvqoT7fFpoUZ9ZVrpzMAP

Score

10^/10

remcos remotehost evasion pdf rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

clepdhunt.duckdns.org:4047

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-S0GVOJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1099Misc.inf
- Size
  
  130.0MB
- MD5
  
  f158d3387c6e2cb1b482f7b7abee7e20
- SHA1
  
  9aadedb8049339dd027a45bc733caa1f6f3dc7a9
- SHA256
  
  c052369f476b624913e8aec1a3ba729d30b5d5f145c4c5c58d64f7d09cfa54b5
- SHA512
  
  93e92533c93d966007eaf6fb35772e362326eb8bd321f1db28cfa98943277589a393081157a8832f162776127eb91974e3f93a2ea3475e936db1f228973bc40e
- SSDEEP
  
  3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWp:
Score

1^/10
behavioral1 behavioral2
- Target
  
  Wrights 2023 1040 W2s TaxDocumentPDF.exe
- Size
  
  31KB
- MD5
  
  3e71ed46603b02a94b921411a19b7a5c
- SHA1
  
  b1374ef6717635d07015d8acb700cf95b2a66b12
- SHA256
  
  1131f33552a12921f6f4d7d9e503feae4b12c367d5377e226acf270f6b58ca6e
- SHA512
  
  28555a8bf20e4f8d42b21685c06e429bc5261f75e9fb65b970a322907d7da4a4ee7d367f4637ea4abb6ef32fae8e71a9d92b4f253a201e94548d68281edccbaf
- SSDEEP
  
  384:e8Kj/M8yEryzqEt7a9Oey+IFdP64VYaEwDtiBgxoxlnLr2STcEICxXBhgBx4eMDa:eDD1r+VWOV+csoHViBBn+EFIqeMDGvaS
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  g2m.dll
- Size
  
  200.0MB
- MD5
  
  20c883bfc44dcd6eda231560851723d2
- SHA1
  
  f479834bfabb38c950a6b2a00f87bf7cdc5e80bb
- SHA256
  
  570104241aec8d351f43c141352ceefafdad2778edd9dc455aee59f3d5ce250f
- SHA512
  
  2afa9ed3ded2d1658e1bf3d0b2ea753b302f559feb6de2478dda8f98e757b7a6397b39f284c51ab8822b7585728ae159f12ebcefc456fbdc7c5d55f9f476077d
- SSDEEP
  
  786432:3UP7GCGO7b0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpH:3UP7GCG64Srkx1hSzYsHQD3t/R
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Suspicious use of SetThreadContext
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

remcosremotehostrat

behavioral4

remcosremotehostrat

behavioral5

behavioral6

remcosremotehostrat