remcos | a5d707684f36df7d6046e10f9bd793090d5750716895c366ef7d407988a2bca7 | Triage

Submit
Reports

Overview

overview

Static

static

3

RFQ 1100-656-02.exe

windows7-x64

RFQ 1100-656-02.exe

windows10-2004-x64

Sharing

General

Target

RFQ 1100-656-02.ace
Size

841KB
Sample

240522-j2nreshc6z
MD5

4114f0297ccb4ec74787cd25a71ec727
SHA1

e07c62c1ae10934ef698a8ac5b5dc67b9fe2bde8
SHA256

a5d707684f36df7d6046e10f9bd793090d5750716895c366ef7d407988a2bca7
SHA512

bba0f844cbde1475f3f38e18cafc6f630c24c9ca0ac8c674f25c8b1436f0dd2ed0335b9dc69c860e9fcb2acc7b69c8f73d7ff06c179011921ccc43b72b94196d
SSDEEP

24576:h2W4bzKA/ZkHJXGfDJJJu2lm4SeCWloDkOgGQLfb:0PbeekHJXGtJJu2EBNWl4kf

Score

10^/10

remcos ky mix collection evasion execution rat trojan

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

RFQ 1100-656-02.exe

Resource

win7-20231129-en

remcos ky mix collection evasion execution rat trojan

windows7-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

RFQ 1100-656-02.exe

Resource

win10v2004-20240426-en

remcos ky mix collection evasion execution rat trojan

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

KY MIX

C2

192.210.201.57:52499

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-M2GVTY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  RFQ 1100-656-02.exe
- Size
  
  856KB
- MD5
  
  a27c4215869da7c1f2121c54ec27549b
- SHA1
  
  f370447ada466a0db44bbd930e8517f79c35f0ba
- SHA256
  
  358f8d58da6f43e4cdb17fecc2e1fbb6a6492ca681d7c48080fd432ae834aa9c
- SHA512
  
  4b0c74606e1bc5422e21af49cfc433f71084661f4fbb5624efb57f46bcfdd916e3681ece8b28c343787fb1613e6791bef6ffca2f7ce1b1f140aa1cde7fffa556
- SSDEEP
  
  24576:j/odxK26kNtue9MTdBfW3HJfREKSPZYhkngIlBUKDWA:GrtuHBBUHJaPZYh3y3WA
Score

10^/10

remcos ky mix collection evasion execution rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Accesses Microsoft Outlook accounts
  collection
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Email Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosky mixcollectionevasionexecutionrattrojan

behavioral2

remcosky mixcollectionevasionexecutionrattrojan

© 2018-2024

Terms | Privacy