remcos | 12e8e180f6fd61d5f6968652409f185906b3dadf2e720816125a5a44e0e33384 | Triage

Resubmissions

Sharing

Copy URL Twitter E-mail

General

Target

1mges_Diana_lea.zip
Size

1.8MB
Sample

240606-yyp8eabd61
MD5

b63143035aa57019c297a481cedcf672
SHA1

18df2cc124c3eec3e09a65b679463aeace2339d3
SHA256

12e8e180f6fd61d5f6968652409f185906b3dadf2e720816125a5a44e0e33384
SHA512

29d3e4504eb8dd9711fbf7963a9693b881151d8276c6b9f5e153360d8e747c80e230915fc5b8d30175779a29601d322bc57d927915288073ba43d655290877b6
SSDEEP

49152:ddxi+RezpXDeFynNSepjH4zN0YqAEM7+bpm3yi7ms:d7nRelXDeFyUex4zNTqXMyNm3l7f

Score

10^/10

remcos xlux0rxtrafic rat

Malware Config

Extracted

Family

remcos

Botnet

XLUX0RXTRAFIC

C2

148.113.165.11:127

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
asasa1-GOLST8
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ''
- Size
  
  2.1MB
- MD5
  
  487266b0bba834b97662daa96679a16e
- SHA1
  
  aefa3f7cb15f32f10040d78c0a2eb0b32a3ca540
- SHA256
  
  fe5824fba6af4a50e1cd92a601bfc482e45a7e211ba4dc7998c939097eea2a6e
- SHA512
  
  828973ac9f76d6dc41ba6ea7bbcf614885374d6023b4cbfb80214f0c057e104714f80eb925f7619abf613984d6556544751453f7a5f1d87b7ff845d4b3cdc343
- SSDEEP
  
  49152:BekriklyLXSIDyFYqzHYrDe5jHS/Hv0gisaMv0vbKB2crObSpZ:BewjlyrSIDyFY5neBSXhivM8TKBBrOQ
Score

5^/10
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1
- Target
  
  $PLUGINSDIR/BgWorker.dll
- Size
  
  12KB
- MD5
  
  36c81676ada53ceb99e06693108d8cce
- SHA1
  
  d31fa4aebd584238b3edc4768dd5414494610889
- SHA256
  
  a9e4f7ec65670d2ce375ffaf09b6d07f4cd531132ca002452287a4d540154a38
- SHA512
  
  1300de7b3e1ac9e706e0aad0b70e3e2a21db8c860e05b314a52e63dd66b5dffdf6be1e38ab6ede13bfd3a64631cc909486bf4b1403e7d821e3b566edc514c63c
- SSDEEP
  
  192:W9Hsl/fIYiYF8LgaL2AMkKieowU+noPOJB3hy2sE9jBF0NyZKlH6JqEHma:LIYiVLpMNiuPxh8E9VF0NyZ6aJqEHN
Score

3^/10
behavioral2
- Target
  
  $PLUGINSDIR/nsDui.dll
- Size
  
  3.0MB
- MD5
  
  b056b383eb1f5293053c144f07159805
- SHA1
  
  4a49f417dd9a9c8c21799fa3e9bfcab21cdbedaf
- SHA256
  
  19a7c2d8ba4397734162bea6f35ceec11752fea940b27bcabb3d22c5d50d6f78
- SHA512
  
  c9a8736636a47aa1fa9af690ef9e9c6990647c109ba18d56c958983099ef699e162759db77ffb7813a32af7a4a97406d59ae8d447314863da2ed00a0db016432
- SSDEEP
  
  49152:ue/yMuYiILBenTJDfEXDJiRu2mhdgWuNMrr5vyxLr2/:uMDiTTJDfEXDJn2mhKWIMHFyZ2
Score

3^/10
behavioral3
- Target
  
  slmgr.vbs
- Size
  
  139KB
- MD5
  
  d37c62aaee701eef91c6ad9faf62c6ba
- SHA1
  
  d5cc20d8659ee605f7308132d496df18a3878009
- SHA256
  
  b2508948141925836f8dd5d53528d5dba87706112f4540408d8b7164155e203c
- SHA512
  
  cfa2ad8e70e44a88c34d2f6403a8adab4aa308d347079c30e8ef5c946e79814bcb71518f56ecfcdd28c3813886441743efa59bfa380e39c7ce653b0273e5ebbc
- SSDEEP
  
  1536:C44NiWnudQV14qf4t0OeJBIGtCnCQf147Xt1wbsSXiMvQiih:C44h4Q3lf4WIICCG14791wXyM4iih
Score

10^/10

remcos xlux0rxtrafic rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

remcosxlux0rxtraficrat