remcos | 6371b48a99a80e174d8f2a0a9245f060cb81a29422067453444d247c9c669e65 | Triage

Sharing

General

Target

6371b48a99a80e174d8f2a0a9245f060cb81a29422067453444d247c9c669e65.exe
Size

502KB
Sample

240511-khsfyaca34
MD5

00ba7c7288a2f5dfa4d5830c4f4d2136
SHA1

30f5d6789f0df7e3a07157c46670406a5062a657
SHA256

6371b48a99a80e174d8f2a0a9245f060cb81a29422067453444d247c9c669e65
SHA512

d39601d93962ebd1aff1b6a5f568f6ba29c3662e33efcd1d26162f2051642cc7419c73b389d0438ca994d0794d172e76f6afe3a192b0889dc836543f20a53f6b
SSDEEP

12288:iMwDzKqeuG3wRlbfqMj1AfOw4M/pmveDZu:7wDs3wRV//JM/p6eDZu

Score

10^/10

remcos remotehost collection execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

172.93.222.147:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GZK076
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  6371b48a99a80e174d8f2a0a9245f060cb81a29422067453444d247c9c669e65.exe
- Size
  
  502KB
- MD5
  
  00ba7c7288a2f5dfa4d5830c4f4d2136
- SHA1
  
  30f5d6789f0df7e3a07157c46670406a5062a657
- SHA256
  
  6371b48a99a80e174d8f2a0a9245f060cb81a29422067453444d247c9c669e65
- SHA512
  
  d39601d93962ebd1aff1b6a5f568f6ba29c3662e33efcd1d26162f2051642cc7419c73b389d0438ca994d0794d172e76f6afe3a192b0889dc836543f20a53f6b
- SSDEEP
  
  12288:iMwDzKqeuG3wRlbfqMj1AfOw4M/pmveDZu:7wDs3wRV//JM/p6eDZu
Score

10^/10

remcos remotehost collection execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  Beedi145/topically.exe
- Size
  
  1KB
- MD5
  
  736259da4e0d21fba8c7f86ecb424ce3
- SHA1
  
  03b0d554f01a5b876fa33e755016b3dfe389c0cd
- SHA256
  
  411a45e06eaad98f70ff338b9f35e7d27bb2e7ca1376c93f5781dc394d0754c9
- SHA512
  
  c2726be1e6ac60de78d0649d6d187a955d5dbad97ece1c69eaf05ad4ca4c44acd1c938dd0eae3637497403439ae7b871931be14020a46e7ceaa4f21e0d6cbc1e
Score

1^/10
behavioral3 behavioral4
- Target
  
  Turbid/Bilvragene/unbendable/Fordrejelsens5.com
- Size
  
  2KB
- MD5
  
  33ee9b72f46c690c452275d95acead7c
- SHA1
  
  b7f49f22a40fe7e1ff7d12a5cc18946f37d015c2
- SHA256
  
  8aecb386474d73a802d255d1aba5b7413fdcdc8116635964bafd311b2596d9d6
- SHA512
  
  fe135c823a440b05c24febc3f94f5d7f509e15c90fb282d1c93a94cdf5ff3560a98d3d43cd36f085d1bd8360f4ef2ce4f910694bbef7a1f1f6c1966b4ec1e6ca
Score

1^/10
behavioral5 behavioral6

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostcollectionexecutionrat

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6