remcos | 1efac74f266547df191d6b74f32b70c01d4db6200e740f1df5b4bd759d4dd1e3 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1efac74f266547df191d6b74f32b70c01d4db6200e740f1df5b4bd759d4dd1e3.exe
Size

921KB
Sample

240720-x9zesaxgnj
MD5

a9d5e331553d521f44d9909bbc4f738c
SHA1

a1681a48eaf75ce96e4237e94f3a71b50e000ec1
SHA256

1efac74f266547df191d6b74f32b70c01d4db6200e740f1df5b4bd759d4dd1e3
SHA512

829a9fb998991808c9dc26523d1a9c7c8acabb0c7a837ff31dfb335363b84183ebd4610f94d0e4282cfff0e0ce54880cb6058ba116c44d0d0567b14ba63c3006
SSDEEP

24576:LRv69hfCMcO/gANDE/C1ILfYBKEt2uKAa71eJ6LBJz:LJYtBKAyCKbY52b8JEDz

Score

10^/10

remcos remotehost execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

212.162.149.42:7118

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WYBPPO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  1efac74f266547df191d6b74f32b70c01d4db6200e740f1df5b4bd759d4dd1e3.exe
- Size
  
  921KB
- MD5
  
  a9d5e331553d521f44d9909bbc4f738c
- SHA1
  
  a1681a48eaf75ce96e4237e94f3a71b50e000ec1
- SHA256
  
  1efac74f266547df191d6b74f32b70c01d4db6200e740f1df5b4bd759d4dd1e3
- SHA512
  
  829a9fb998991808c9dc26523d1a9c7c8acabb0c7a837ff31dfb335363b84183ebd4610f94d0e4282cfff0e0ce54880cb6058ba116c44d0d0567b14ba63c3006
- SSDEEP
  
  24576:LRv69hfCMcO/gANDE/C1ILfYBKEt2uKAa71eJ6LBJz:LJYtBKAyCKbY52b8JEDz
Score

10^/10

remcos remotehost execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostexecutionrat

behavioral2

remcosremotehostexecutionrat