remcos | 45ba5f0e0f5ea330c12f0081f8861a75e65f2849e67038c6106930dd66543186 | Triage

Sharing

General

Target

havenewthingstounderstandwhichgivegreatthingsimeanbeautu=ifulthingseverfindedonearth____sheismygirlmywifemyheartsheis.doc
Size

76KB
Sample

240502-q3313acc39
MD5

0aba1094e29ed6d65fa5a8b1ec8c2e57
SHA1

5eb1d60525661ec561ae7e56ed2a5798c0462c1e
SHA256

45ba5f0e0f5ea330c12f0081f8861a75e65f2849e67038c6106930dd66543186
SHA512

2ed36b870531ea151290fea7942f4fed89e36a946e343b36134bae50f6d6b3a54902f25461ddf7d137d317bc81e30642379facf4b043c4a2191e8241a8d10eb5
SSDEEP

1536:CfcQtfa+Hc4YZJBQZCc45Wb/2Y0pRObbhIatQqJlioDfeMbKekD:ufa+Hc4YZJBQZV45Wb/qROb9IEJlioDO

Score

10^/10

remcos remotehost execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

sembe.duckdns.org:14645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
nots.dat
keylog_flag
false
keylog_folder
note
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-999Z97
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  havenewthingstounderstandwhichgivegreatthingsimeanbeautu=ifulthingseverfindedonearth____sheismygirlmywifemyheartsheis.doc
- Size
  
  76KB
- MD5
  
  0aba1094e29ed6d65fa5a8b1ec8c2e57
- SHA1
  
  5eb1d60525661ec561ae7e56ed2a5798c0462c1e
- SHA256
  
  45ba5f0e0f5ea330c12f0081f8861a75e65f2849e67038c6106930dd66543186
- SHA512
  
  2ed36b870531ea151290fea7942f4fed89e36a946e343b36134bae50f6d6b3a54902f25461ddf7d137d317bc81e30642379facf4b043c4a2191e8241a8d10eb5
- SSDEEP
  
  1536:CfcQtfa+Hc4YZJBQZCc45Wb/2Y0pRObbhIatQqJlioDfeMbKekD:ufa+Hc4YZJBQZV45Wb/qROb9IEJlioDO
Score

10^/10

remcos remotehost execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Exploitation for Client Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostexecutionpersistencerat

behavioral2