remcos

General

Target

16601138110.zip
Size

103.4MB
Sample

240412-cv2w5sff9y
MD5

a8a2b1e178545dc2fa2e8ab3b1d3a982
SHA1

a2b790e6f22cdeaaaec6df200dc9717a248f4698
SHA256

ba8db0a36c729d98dc09fbd9c7ea62e1b62f5a435318af68bdb846063a325f21
SHA512

00e705ef5d2db546e45a6d50703e0fba85dca3a749e0cc58d5f122b2b7be3ddc7e3d8ceffd4b60df2d12779d75febd5de1f39488334cdbba154a54c1b5f011ee
SSDEEP

1572864:WwDvg0dZXY+6FlN0Y+urrFR9dXATcJxQzk2EHBzF0Spg5NT5cT8g1Z5a19xr02:W8o1NN0YJPATcAzk2EHBzFhpUNTC8gWv

Score

10^/10

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

clepdhunt.duckdns.org:4047

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-EN0WTA
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  My 2023 Tax DocumentsPDF.exe
- Size
  
  39KB
- MD5
  
  f1b14f71252de9ac763dbfbfbfc8c2dc
- SHA1
  
  dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
- SHA256
  
  796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
- SHA512
  
  636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
- SSDEEP
  
  768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Tier1.pdof
- Size
  
  102.1MB
- MD5
  
  db0521bd7e4b9fc803f9a900212eea02
- SHA1
  
  6c86b49b4c1e3ebcecd5376166bfe3bda6a141fa
- SHA256
  
  e95ce4146e3ffe7d5fde36340c01889f7634d6f91b92fbae1606bef9cb4a7cfb
- SHA512
  
  22d219dac43bd3200e666ef7e554584b0fd43c57c0a6dd7888dc80f71a9b5e73ba48400607205a4f1680af0ccaa197fdb1add05fc7f698e9246fe00a6a49080f
- SSDEEP
  
  3145728:96lH+byk0ZggBznCh2HCea5bQ92NmDVr9XqnZGWpg:M
Score

1^/10
behavioral3 behavioral4
- Target
  
  g2m.dll
- Size
  
  15.1MB
- MD5
  
  f14c14a6d5b1613242f061030fdb9163
- SHA1
  
  2a0d0c7ee40fdd3fe00a76b6d89c0e951deff8e2
- SHA256
  
  ba23ee91a54d3da0e2142a90def9ea6ead953621fdbb2c9a568ab68247993b90
- SHA512
  
  7993bd5510278adc273b4de6f62dc0eec06f12b294e62a9cf60319b2ae0bd1111a2aefb8af0876228d4c9e0a5d6e78fda5c494c6583ec92b6ba2b31be69dc4c8
- SSDEEP
  
  196608:W0ivGTAslgbSYBsnBho/wnBvq+4rMOblxz6qYFS1qY2aubxi58/EUxFFVs4zti:WzvfaEog+4rdbUTFVe
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral5 behavioral6