remcos | 65db81a51aa3831d6aa297642c1a992784905a194974450d1f4c283026b8ff00 | Triage

Sharing

General

Target

All.2023.Tax.Documents.zip
Size

19.8MB
Sample

240520-wf16vabh61
MD5

4c9bbf6d3f3634c69cb0be7461ca6a0b
SHA1

58305aae7916b29f78382dc00e6014553960a8bf
SHA256

65db81a51aa3831d6aa297642c1a992784905a194974450d1f4c283026b8ff00
SHA512

cf887b9abe10854658f48f3165f893299de673fbdacb27b57c42ae0de08670a1905b2a376db62f7d6dba08c790909c71bc750b1453f8549789ae36b3084dceef
SSDEEP

393216:ftOdzfmZfX/s8EkKM5sOzs30EcfhKmJ6qqNm3eiW2cTWk9X92y+Xp:fcAZfkMKM5sxEEy76qfLWXTWOg

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

jelelaiyegba.duckdns.org:6060

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TLKW96
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Tax Organizer.exe
- Size
  
  6.1MB
- MD5
  
  4864a55cff27f686023456a22371e790
- SHA1
  
  6ed30c0371fe167d38411bfa6d720fcdcacc4f4c
- SHA256
  
  08c7fb6067acc8ac207d28ab616c9ea5bc0d394956455d6a3eecb73f8010f7a2
- SHA512
  
  4bd3a16435cca6ce7a7aa829eb967619a8b7c02598474e634442cffc55935870d54d844a04496bf9c7e8c29c40fae59ac6eb39c8550c091d06a28211491d0bfb
- SSDEEP
  
  98304:VZQIM+/nv/CDoAkYwpAa5ge1zZ/jtdZwUkQ:bJCKlA2VKUz
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral1 behavioral2
- Target
  
  msimg32.dll
- Size
  
  45.1MB
- MD5
  
  58c43477d90dce1e7bac5bbab9c0a5a7
- SHA1
  
  d20041b5b1927aeb5887f331b2ed594e14fe8513
- SHA256
  
  58c44d41b335c5b8c4f399c05fcef83a2d024211eec09b1ade5335b96b1f64c4
- SHA512
  
  c82dcef12e83601bc8f84f5341d8a74c9368ac9093a0f913746ac7a3ce0a856ad6d3faa921b29f3c471cf5a1124339534c21967fa23367119386183d9c044bf4
- SSDEEP
  
  786432:bUP7GCGO7t0Srkx/tC0SzIdSwh/WxbpNHQD3trzRpvf9:bUP7GCG6iSrkx1hSzYsHQD3t/Rx1
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostpersistencerat

behavioral2

remcosremotehostpersistencerat

behavioral3

remcosremotehostpersistencerat

behavioral4

remcosremotehostpersistencerat