remcos | 0fb1d11732acd516de3da578ac8d7a4a0f51684f588898bc0621fe5424cef0eb | Triage

Sharing

General

Target

Teklif-Formu.jar
Size

64KB
Sample

240509-pclhnagh3w
MD5

8f32b6ad5a4b0bf593c5e8cfe8afd04b
SHA1

02623723f9a9af013df424336d45ada46abe9472
SHA256

0fb1d11732acd516de3da578ac8d7a4a0f51684f588898bc0621fe5424cef0eb
SHA512

185bb366786dc1a1a54dcb623341f7a727842685aa50d48dcc4bafe5135feaa1f6294a874faa55fdc91816a43bd60ab543c9284b7eec97d8cedf65dd62de282c
SSDEEP

1536:sFVl2U0Gg0HxEjXu28Gut9+gnzqYgMYw0Sr8awyvI0cNFl:sFv2U0GXUu28P7HZY84awyv3cNFl

Score

10^/10

remcos strrat may day discovery evasion persistence rat stealer trojan

Malware Config

Extracted

Family

strrat

C2

elastsolek21.duckdns.org:4781

zekeriyasolek45.duckdns.org:4781

Attributes

license_id
WFC9-W4KB-388F-9KY1-S6JV
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Extracted

Family

remcos

Botnet

May Day

C2

zekeriyasolek45.duckdns.org:3321

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
Windows Data Start.exe
copy_folder
Windows Data Start-Up
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%WinDir%
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Window Display
keylog_path
%WinDir%
mouse_option
false
mutex
Windows Audio-EIQQ40
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Teklif-Formu.jar
- Size
  
  64KB
- MD5
  
  8f32b6ad5a4b0bf593c5e8cfe8afd04b
- SHA1
  
  02623723f9a9af013df424336d45ada46abe9472
- SHA256
  
  0fb1d11732acd516de3da578ac8d7a4a0f51684f588898bc0621fe5424cef0eb
- SHA512
  
  185bb366786dc1a1a54dcb623341f7a727842685aa50d48dcc4bafe5135feaa1f6294a874faa55fdc91816a43bd60ab543c9284b7eec97d8cedf65dd62de282c
- SSDEEP
  
  1536:sFVl2U0Gg0HxEjXu28Gut9+gnzqYgMYw0Sr8awyvI0cNFl:sFv2U0GXUu28P7HZY84awyv3cNFl
Score

10^/10

remcos strrat may day evasion persistence rat stealer trojan discovery
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- STRRAT
  STRRAT is a remote access tool than can steal credentials and log keystrokes.
  trojan stealer strrat
- UAC bypass
  evasion trojan
- Adds policy Run key to start application
  persistence
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

File and Directory Permissions Modification

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosstrratmay dayevasionpersistenceratstealertrojan

behavioral2

remcosstrratmay daydiscoverypersistenceratstealertrojan