remcos | 230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f | Triage

Sharing

General

Target

230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe
Size

1.3MB
Sample

240517-p32bssab34
MD5

a8e4c5bfdec6d09b86b1a522c2348367
SHA1

3a13ff10d314c01d9a5ecb766274757dcc508c2b
SHA256

230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f
SHA512

02a663a444240847b2efc796bf2ead272c8b6d9dd678e01b9026fd42dcaad37bbc9cac2d3eb26590d66919ac0b0c10e66f27f5074ebac8c88c7709ca701620f1
SSDEEP

24576:TxB9gs/l97fTp+hmFVrWHGc6H+pvxoOXk81pRNHBoKkoR:/L7bwwBH+1xFXkwpRJZ9R

Score

10^/10

remcos remotehost collection evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

107.173.4.16:2560

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-KDW6BI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f.exe
- Size
  
  1.3MB
- MD5
  
  a8e4c5bfdec6d09b86b1a522c2348367
- SHA1
  
  3a13ff10d314c01d9a5ecb766274757dcc508c2b
- SHA256
  
  230d403e4d6b1f4e3a7c2e1a7fc33d0f9d34984d782cb3ffee1a3621d260609f
- SHA512
  
  02a663a444240847b2efc796bf2ead272c8b6d9dd678e01b9026fd42dcaad37bbc9cac2d3eb26590d66919ac0b0c10e66f27f5074ebac8c88c7709ca701620f1
- SSDEEP
  
  24576:TxB9gs/l97fTp+hmFVrWHGc6H+pvxoOXk81pRNHBoKkoR:/L7bwwBH+1xFXkwpRJZ9R
Score

10^/10

execution remcos remotehost collection evasion rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosremotehostcollectionevasionexecutionrattrojan