remcos | 0a9f6da50ec15864bd2f5952afb9edd17a30ef0fa2d311a53e14a40ccd845152 | Triage

Sharing

General

Target

PO#HN-23629 INV# PF01536 And Packing List - Eskimo EI1000 ice maker#80616.scr.exe
Size

986KB
Sample

240606-h5hh5scb36
MD5

a92df2baf630f76926a12901dc0162c9
SHA1

c5ec73b54af3afbde64e08f58113422ee4c11e15
SHA256

0a9f6da50ec15864bd2f5952afb9edd17a30ef0fa2d311a53e14a40ccd845152
SHA512

8e4df3ad1cdcbacf09c907bcb69efa1ef4c5fd762a56b361fc29ba7cae1055431a0bcbb674eb43b1278bfc9d19f617a4ac6911c86e80db41348d695646ba31d2
SSDEEP

24576:f0N5O/WKY4QI3VjEBsJUFha3CjI93egym3lRI90AovitTPe11:8/eQIZGY3CU9egfU0AovitC11

Score

10^/10

remcos remotehost persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

104.250.180.178:7902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
AnyDesk.exe
copy_folder
AnyDesk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
AnyDesk
mouse_option
false
mutex
AnyDesk-8BNQK6
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  PO#HN-23629 INV# PF01536 And Packing List - Eskimo EI1000 ice maker#80616.scr.exe
- Size
  
  986KB
- MD5
  
  a92df2baf630f76926a12901dc0162c9
- SHA1
  
  c5ec73b54af3afbde64e08f58113422ee4c11e15
- SHA256
  
  0a9f6da50ec15864bd2f5952afb9edd17a30ef0fa2d311a53e14a40ccd845152
- SHA512
  
  8e4df3ad1cdcbacf09c907bcb69efa1ef4c5fd762a56b361fc29ba7cae1055431a0bcbb674eb43b1278bfc9d19f617a4ac6911c86e80db41348d695646ba31d2
- SSDEEP
  
  24576:f0N5O/WKY4QI3VjEBsJUFha3CjI93egym3lRI90AovitTPe11:8/eQIZGY3CU9egfU0AovitC11
Score

10^/10

remcos remotehost persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostpersistencerat

behavioral2

remcosremotehostpersistencerat