remcos | be68a61ff56d7c7f2b9331a7ce88918b5328d935e11696f11b832af09acb5530 | Triage

Sharing

General

Target

51d806635ea1e2a5459244de31ea2ba4_JaffaCakes118
Size

832KB
Sample

240517-2lrr9aeg5x
MD5

51d806635ea1e2a5459244de31ea2ba4
SHA1

0c6f3e330c2ae82d110d9f4040bfb9221ef6908a
SHA256

be68a61ff56d7c7f2b9331a7ce88918b5328d935e11696f11b832af09acb5530
SHA512

9cb5f91033803ba439b2b3d18d1a992a4ebbdb4288b2fe77c3b20d4751ad887a8655f375bf7a58b3fbe9761f82b682397589ca0fed50276c84d067a494564545
SSDEEP

24576:D2O/GllnX7Pv1W+KrgYsPHtlnOCLs2lQlZP69cE+5:yX7Hc+KM7Htlruri9cj5

Score

10^/10

remcos persistence rat

Malware Config

Targets

- Target
  
  51d806635ea1e2a5459244de31ea2ba4_JaffaCakes118
- Size
  
  832KB
- MD5
  
  51d806635ea1e2a5459244de31ea2ba4
- SHA1
  
  0c6f3e330c2ae82d110d9f4040bfb9221ef6908a
- SHA256
  
  be68a61ff56d7c7f2b9331a7ce88918b5328d935e11696f11b832af09acb5530
- SHA512
  
  9cb5f91033803ba439b2b3d18d1a992a4ebbdb4288b2fe77c3b20d4751ad887a8655f375bf7a58b3fbe9761f82b682397589ca0fed50276c84d067a494564545
- SSDEEP
  
  24576:D2O/GllnX7Pv1W+KrgYsPHtlnOCLs2lQlZP69cE+5:yX7Hc+KM7Htlruri9cj5
Score

10^/10

remcos persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcospersistencerat

behavioral2

remcospersistencerat