remcos | db15a69d0ca99a99a6c6771ab9598bf8d93d29d036eff64f52dc262048bd8e39 | Triage

Sharing

General

Target

myrecentfiles23.zip
Size

1.2MB
Sample

240423-qhzsxagf46
MD5

96d1b33fac966dbc7c57d6f4f3eb7baa
SHA1

7aed90b11e760e5407150831bafbfeb22abf9805
SHA256

db15a69d0ca99a99a6c6771ab9598bf8d93d29d036eff64f52dc262048bd8e39
SHA512

c1cbeca0a9a788be180fa6b77c58814e8356b2ca0fe3a0eb0fd2e52cab5a36e386803037262e19b3a984ad876331fc683181fe799fa22962ed9838b4a7727856
SSDEEP

24576:wMeahBcXubqTXgqLsgyZ58TYi/c9G3DdBVkJ+rRea:wMeahBSuAX6hiceDaCx

Score

10^/10

remcos remotehost rat

Malware Config

Extracted

Family

remcos

Version

4.9.4 Pro

Botnet

RemoteHost

C2

69.174.100.12:5009

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-T52Q4O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  MLD.pdf
- Size
  
  629KB
- MD5
  
  c680bf3ef7c086c42f6f3a6ce6e957d7
- SHA1
  
  30a5a66451049e4ba84e63ae8253be6ffb9d16b8
- SHA256
  
  92fbfa17b4dd1c0353ef4d7bfb5649c3a916c4e2e58303538f83db65cc709b82
- SHA512
  
  c5b35a9672fbbcfc5e2905635b4541fe0f4ce51647fbdf0e9274616de2d69bee625a84bda48b451cc546adf70add01afd696c2a449c9e58c581c57f6a66979f8
- SSDEEP
  
  12288:hVxC0WBfGHl+hcnGuOLL6r3u3Db9Ayk1s8AX3wqSkj368sSw3p7FFznkIwgx1eBV:onfi+cnGTU47k1AnwqSssvznkIwgxkBV
Score

1^/10
behavioral1 behavioral2
- Target
  
  g2m.dll
- Size
  
  399KB
- MD5
  
  326683813b145cc5469dff1f77c701e3
- SHA1
  
  b31eb0e91c6e70719a15dd61e7e374ce2b7782c1
- SHA256
  
  93439fe9b45d7b6e9fcdc5e68fd47677ea17025e4eabb6f1468cb9ae98ee8a5b
- SHA512
  
  981bf18aa03259a557eed4fc336d27f3f55b3a0421e70b6b59c5ef9753be885b537d5e55f2d58753621b57aa6079708d35732edddd4d97d4891b79600e631fc3
- SSDEEP
  
  6144:u9rSWpovUahUzo+NY7+c2wkYUL8NuS3ZCXfrUNfu:u9TpofojwjUL8IJ8
Score

3^/10
behavioral3 behavioral4
- Target
  
  myrecentfiles.lnk
- Size
  
  2KB
- MD5
  
  f76cb7bb3dcc0fa8dfeb0d8b23f47e61
- SHA1
  
  5ecaf84cc9742518bd27d29b8e3d401ca9f0af4b
- SHA256
  
  8e7eb07f9e6ff4d5e7db3dcf8bcbf909693cce12693a43c1ddd8b221cdf3a9e8
- SHA512
  
  b018e2b989935f1ecb35eb41855027791aee5900e679a5bf5836eaef8a6456946b9289b6b37f8c92af3a95008109633583d55f13f8c3a0df3a76b13c0a835bbb
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral5 behavioral6
- Target
  
  winsys.odt
- Size
  
  39KB
- MD5
  
  f1b14f71252de9ac763dbfbfbfc8c2dc
- SHA1
  
  dcc2dcb26c1649887f1d5ae557a000b5fe34bb98
- SHA256
  
  796ea1d27ed5825e300c3c9505a87b2445886623235f3e41258de90ba1604cd5
- SHA512
  
  636a32fb8a88a542783aa57fe047b6bca47b2bd23b41b3902671c4e9036c6dbb97576be27fd2395a988653e6b63714277873e077519b4a06cdc5f63d3c4224e0
- SSDEEP
  
  768:YRQnUhG5bZDOTpkdD82YbQkRFokFWIILPUh:FWObZDOTpk5T6zqAh
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
behavioral7 behavioral8

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

remcosremotehostrat

behavioral7

behavioral8

remcosremotehostrat