remcos | db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8 | Triage

Submit
Reports

Overview

overview

Static

static

1

db83be38ac...e8.exe

windows7-x64

3

db83be38ac...e8.exe

windows10-2004-x64

Sharing

General

Target

db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8.exe
Size

1.1MB
Sample

240429-b5nltsef35
MD5

e4df9a487d5c234c9bf5d406596404bf
SHA1

8111cc21c3fcd1ea98e398e92f190ce98769f3e5
SHA256

db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8
SHA512

379e55976e6e5d9ddc1bdeb30dda8b04f75a827862af26f3670dd53039a0aac11e79e76517ff4281b17a1e7be0832e5be8120088729cb67036e388517fcb7c65
SSDEEP

24576:sfPjKr5BNDRLpxLMD/wc2IUbvYuWtu0uSJ6fd9tOF3kF:uk5BN9TLlLIx5truxf5IUF

Score

10^/10

remcos remotehost rat

Static task

static1

Behavioral task

behavioral1

Sample

db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8.exe

Resource

win7-20240221-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8.exe

Resource

win10v2004-20240419-en

remcos remotehost rat

windows10-2004-x64

10 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
nots.dat
keylog_flag
false
keylog_folder
note
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-999Z97
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8.exe
- Size
  
  1.1MB
- MD5
  
  e4df9a487d5c234c9bf5d406596404bf
- SHA1
  
  8111cc21c3fcd1ea98e398e92f190ce98769f3e5
- SHA256
  
  db83be38acf27d84834da055d570805c8710fbef271e827ca8a645b989c70be8
- SHA512
  
  379e55976e6e5d9ddc1bdeb30dda8b04f75a827862af26f3670dd53039a0aac11e79e76517ff4281b17a1e7be0832e5be8120088729cb67036e388517fcb7c65
- SSDEEP
  
  24576:sfPjKr5BNDRLpxLMD/wc2IUbvYuWtu0uSJ6fd9tOF3kF:uk5BN9TLlLIx5truxf5IUF
Score

10^/10

remcos remotehost rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostrat

© 2018-2025

Terms | Privacy