remcos | a1f9dccf3bf17ca1e478456d6deae103abb5b4d09855aa043546376d25313b84 | Triage

Sharing

General

Target

INV20242205.zip
Size

839KB
Sample

240523-ryggyaee3x
MD5

78a53aba07df9e68365a07a41846ee1e
SHA1

f14720e960fe9b6d7438d758c50957e1f9c71c7c
SHA256

a1f9dccf3bf17ca1e478456d6deae103abb5b4d09855aa043546376d25313b84
SHA512

0c1eddf7545e04be9ea652a9b46ea8844c923501a72a75617c163759e7e20299a52dd3b923e48400eb1117161ab2f0f2e94efc87c36772277a06479e0a4cfe37
SSDEEP

24576:CaeNHy7bHTezMzt1Vw1ERPneLKLHdx+t1p+kDRz:jeNHuzGLmdKp+klz

Score

10^/10

remcos remotehost evasion execution rat trojan

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

91.214.78.17:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-MF7K1V
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  INV20242205.bat
- Size
  
  865KB
- MD5
  
  d6437b4cd799fa74f3851d2f6b077b9d
- SHA1
  
  d2868bc13d71560e96cd65852aa7bb0658a44426
- SHA256
  
  00ea3c0ae890c065ba83631f1a7d7018152ec44114d80dc8d8670d499e66b91c
- SHA512
  
  3cfb10162483a5200771a71ae4ea6fd945add4ebc391d6cac8fb3116d3133da2175cd4c5b14c980ba7c522dd0261b946f21195b35bcc47f35a5e10c184212771
- SSDEEP
  
  24576:7pLHyfbTB4z6jtxXWlEfPpELK37dP+vTpwyDbC:7pLHIziL2dIpwy3C
Score

10^/10

remcos remotehost evasion execution rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Windows security bypass
  evasion trojan
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Windows security modification
  evasion trojan
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostevasionexecutionrattrojan

behavioral2

remcosremotehostevasionexecutionrattrojan