remcos | cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

MalwareBazaar.13
Size

1.2MB
Sample

240711-j8b17szflc
MD5

24a944104d4673c6ddb64b2ef5c6dd57
SHA1

6a528e32c5d676f5399de2141fb8ea31210bfb32
SHA256

cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0
SHA512

4746f945e4dec15714a65764f00fc3af01631a1a05cdc9e8294cd7c2166b63e8d8983295c1eca46280929dcf952849f962aed4bf5c0a4ab27fe2daf350f076f2
SSDEEP

24576:J6nVMk+HIj90ckN5xxNtIVGmUuX8Ts0bydWy2UE43YP0b8LLuwPu8Xlc:8Vz7t+xkGzaUlPW2Lukud

Score

10^/10

remcos nsppd evasion execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

nsppd

C2

75.127.7.188:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
F-11.exe
copy_folder
F-11
delete_file
false
hide_file
true
hide_keylog_file
false
install_flag
false
install_path
%WinDir%\System32
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
MUJ
keylog_path
%WinDir%\System32
mouse_option
false
mutex
Tpn-C0MW43
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  MalwareBazaar.13
- Size
  
  1.2MB
- MD5
  
  24a944104d4673c6ddb64b2ef5c6dd57
- SHA1
  
  6a528e32c5d676f5399de2141fb8ea31210bfb32
- SHA256
  
  cd1dbeedd93d1c0bf3c76a1e5cd2fd4cf1f0d195226dca32d85757301aba43b0
- SHA512
  
  4746f945e4dec15714a65764f00fc3af01631a1a05cdc9e8294cd7c2166b63e8d8983295c1eca46280929dcf952849f962aed4bf5c0a4ab27fe2daf350f076f2
- SSDEEP
  
  24576:J6nVMk+HIj90ckN5xxNtIVGmUuX8Ts0bydWy2UE43YP0b8LLuwPu8Xlc:8Vz7t+xkGzaUlPW2Lukud
Score

10^/10

remcos nsppd evasion execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosnsppdevasionexecutionpersistencerat

behavioral2

remcosnsppdevasionexecutionpersistencerat