remcos | 92a8482b9e7ca1ad4d86c76cab2ed363fa995cdfa50c919a3714c28c7016020c | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

002863a161...20.rtf

windows7-x64

002863a161...20.rtf

windows10-2004-x64

1

Sharing

General

Target

002863a1610420fbdd33527b235ae720.rtf
Size

70KB
Sample

240416-t1cymsgd9y
MD5

002863a1610420fbdd33527b235ae720
SHA1

0e954b555b08faf3dae04019947ab06f751dddb0
SHA256

92a8482b9e7ca1ad4d86c76cab2ed363fa995cdfa50c919a3714c28c7016020c
SHA512

ea957090b43430f044006f08616a3a4b4fb71817c7abc03b8a0b702a1ffca37e0e62877e46bd6197b82b1460b36691365f49d9f001506b3bb610aa93853e514e
SSDEEP

1536:4l1SraAXer10fWIydP+5F1ooej8PKRecB4+itb52sDWtvUCUUSVpRA/o:MS+AXer10fWIydo1oxj8PKRecB4+itbT

Score

10^/10

remcos remotehost rat

Static task

static1

Behavioral task

behavioral1

Sample

002863a1610420fbdd33527b235ae720.rtf

Resource

win7-20240221-en

remcos remotehost rat

windows7-x64

15 signatures

150 seconds

Behavioral task

behavioral2

Sample

002863a1610420fbdd33527b235ae720.rtf

Resource

win10v2004-20240412-en

windows10-2004-x64

4 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

nomoreremcos.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-2DQRZG
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  002863a1610420fbdd33527b235ae720.rtf
- Size
  
  70KB
- MD5
  
  002863a1610420fbdd33527b235ae720
- SHA1
  
  0e954b555b08faf3dae04019947ab06f751dddb0
- SHA256
  
  92a8482b9e7ca1ad4d86c76cab2ed363fa995cdfa50c919a3714c28c7016020c
- SHA512
  
  ea957090b43430f044006f08616a3a4b4fb71817c7abc03b8a0b702a1ffca37e0e62877e46bd6197b82b1460b36691365f49d9f001506b3bb610aa93853e514e
- SSDEEP
  
  1536:4l1SraAXer10fWIydP+5F1ooej8PKRecB4+itb52sDWtvUCUUSVpRA/o:MS+AXer10fWIydo1oxj8PKRecB4+itbT
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Exploitation for Client Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostrat

behavioral2

© 2018-2025

Terms | Privacy

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.