remcos | 162a15e59ed243338657b1e3f050a8ab18771cdb7d5d5450da86cb78803e9d5c | Triage

Sharing

General

Target

3ba6e494a9d02ecd59a01bcce468b718_JaffaCakes118
Size

611KB
Sample

240512-xv663sbh4y
MD5

3ba6e494a9d02ecd59a01bcce468b718
SHA1

b972fc4364c866bb5954521a28b57644d3338a3e
SHA256

162a15e59ed243338657b1e3f050a8ab18771cdb7d5d5450da86cb78803e9d5c
SHA512

a6efe735ee76749536716e88b5a40f30b068e7d5ab45c155dfb7cf772358a9e41010682b9fa38ea526b988d1a2c74f92a54da7f7292da8e2c4e6a6080f7c3d8e
SSDEEP

12288:JSOMzWwjI8Dc1nk7rVgtBcX6zc55+75Kdp40/2a8WVhxE/QRrPFRzS0H6EcQcyP4:pjwrI1ktNX6zc/7A

Score

10^/10

remcos razy rat

Malware Config

Extracted

Family

remcos

Version

2.7.1 Pro

Botnet

RAZY

C2

reserverem.duckdns.org:4229

ddns.whsthings.xyz:4229

servr.plzbanif1abused.xyz:4229

okaka.duckdns.org:4229

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%AppData%
keylog_crypt
true
keylog_file
lolodtf.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
jjdhdbghhytgfewuytnhyugyrtployywqa-E7HH1X
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
wikipedia;solitaire;

Targets

- Target
  
  3ba6e494a9d02ecd59a01bcce468b718_JaffaCakes118
- Size
  
  611KB
- MD5
  
  3ba6e494a9d02ecd59a01bcce468b718
- SHA1
  
  b972fc4364c866bb5954521a28b57644d3338a3e
- SHA256
  
  162a15e59ed243338657b1e3f050a8ab18771cdb7d5d5450da86cb78803e9d5c
- SHA512
  
  a6efe735ee76749536716e88b5a40f30b068e7d5ab45c155dfb7cf772358a9e41010682b9fa38ea526b988d1a2c74f92a54da7f7292da8e2c4e6a6080f7c3d8e
- SSDEEP
  
  12288:JSOMzWwjI8Dc1nk7rVgtBcX6zc55+75Kdp40/2a8WVhxE/QRrPFRzS0H6EcQcyP4:pjwrI1ktNX6zc/7A
Score

10^/10

remcos razy rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2