remcos | b9b8d30d6757b34902ef37849e61eba745f6c5bd476b41f1e993b86bf8099449 | Triage

Sharing

General

Target

f.cmd
Size

4.7MB
Sample

240523-mkkvzsdb92
MD5

c3a17194e3f679078eee9f539fe1d6f4
SHA1

64defa4bcca8298bc58f30fca4c0cfc561263465
SHA256

b9b8d30d6757b34902ef37849e61eba745f6c5bd476b41f1e993b86bf8099449
SHA512

169a2265c68654cb4b19898772c2ad35c758b4b5d65f2b25be71f724d379bc123fabc2b505cfedb1c09d3b79db8a291a9227988c5e1622631ea7b2cf5aa4efa4
SSDEEP

24576:CN3QGmU4n/+6JVT+avOgeF/ehZ2gRrxBJGhRCAQ:CFQGmdn/+GdRvOX9gRqQ

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

myumysmeetr.ddns.net:2404

mysweeterbk.ddns.net:2404

meetre1ms.freeddns.org:2404

bbhmeetre1ms.freeddns.org:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-TPT9X3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  f.cmd
- Size
  
  4.7MB
- MD5
  
  c3a17194e3f679078eee9f539fe1d6f4
- SHA1
  
  64defa4bcca8298bc58f30fca4c0cfc561263465
- SHA256
  
  b9b8d30d6757b34902ef37849e61eba745f6c5bd476b41f1e993b86bf8099449
- SHA512
  
  169a2265c68654cb4b19898772c2ad35c758b4b5d65f2b25be71f724d379bc123fabc2b505cfedb1c09d3b79db8a291a9227988c5e1622631ea7b2cf5aa4efa4
- SSDEEP
  
  24576:CN3QGmU4n/+6JVT+avOgeF/ehZ2gRrxBJGhRCAQ:CFQGmdn/+GdRvOX9gRqQ
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostpersistencerat

behavioral2

remcosremotehostpersistencerat