remcos | b594276cd687f2f0946b6f8c8b368cd87bb5353c6ebc426618f9429b0a511e4d | Triage

Sharing

General

Target

26.04.2024_Is_Bankasi_3435-577407_Odeme_Plani_448506074-577605079.Tar
Size

1.4MB
Sample

240427-nt6z9aad3t
MD5

72462f253da540f148fb0737c04513f3
SHA1

7f8a2365036def1251e89869248df92d4e41d6c1
SHA256

b594276cd687f2f0946b6f8c8b368cd87bb5353c6ebc426618f9429b0a511e4d
SHA512

d2343086944e11689f902e3d1dd9c2c5c7b9e1b4eb15ebbe09ef7822ab61b649fbd990d1efe29ae2b233082e2ba2c4dd58cff1475a1b3c20511e120fa5ced86c
SSDEEP

24576:K/ClrgNrkske8R3jFkCFvUd1mdlze3ADWmB+PhUnZWIZIeJrVNrcv9/LVKllrgqU:K/fk1eS3mEW4QAD5B0hTWIe1zcv98rgP

Score

10^/10

remcos biggscrypt persistence rat

Malware Config

Extracted

Family

remcos

Botnet

BiggsCrypt

C2

20.121.128.235:4876

20.121.128.235:4834

20.121.128.235:4845

20.121.128.235:4674

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
false
keylog_file
woro.dat
keylog_flag
false
keylog_path
%UserProfile%
mouse_option
false
mutex
ooowewaoowewssasaero-3KFJUJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  26.04.2024_Is_Bankasi_3435_577407_Odeme_Plani_448506074_577605079.cmd
- Size
  
  3.9MB
- MD5
  
  03be1875541362e498ed29e87234cc0b
- SHA1
  
  4e7bf4ad928b6f8cb60fd0aaeef353922b7a05b4
- SHA256
  
  d4104679ef8e8e8fa1dead2d5ecc0a3361656651de1b1fc44e471aef661292a0
- SHA512
  
  6324693fe5f4301e81dbb71db34f7bf7a77ccb612c0215995d5f43e4ae2c066112062d124d8a53f3c37e7add67e296ec939023f64fb2ebd2a32919e3231fffdf
- SSDEEP
  
  49152:c0yPIMFC7s8sc5R6AlCpwKwyKI+mI/VqWxNchKlWB/3cx64yJaKnImlWdgwC1B75:y
Score

10^/10

remcos biggscrypt persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

remcosbiggscryptpersistencerat