remcos | d06628ac028784af0add1dbf62aad46f4bdade1a9324a03bd504fe7e3d306502 | Triage

Sharing

General

Target

6c3b88c4675ff6cad62702925a3390f1.bin
Size

1.3MB
Sample

240727-cfkz3ssgph
MD5

45e92d876fd6ff38b6b668d39e2b166d
SHA1

b63f6c7559522cbd4965ec51963055b432fc736e
SHA256

d06628ac028784af0add1dbf62aad46f4bdade1a9324a03bd504fe7e3d306502
SHA512

657d204cf221ce106b08ca30d96882242797a468e266e6d6dd2a36e45d8b5f09b6ee6dc1b03fbeceb9ab872cc7be0570a338ce9ae95a46abd8585909ed65e7f6
SSDEEP

24576:3c5YGLAFn565eVeHFfmfR5bGz0d9/x7/byjernRM4xdxMZsJDA89lSCwG78HLFAC:3+LAxw5eV6g5qgobWDAk2G7iJr

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

103.198.26.25:96

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-IPUJM4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  a8e25a2520c09dd71e17afbde126f58514921c6d967a786bde096fafda08701a.exe
- Size
  
  2.2MB
- MD5
  
  6c3b88c4675ff6cad62702925a3390f1
- SHA1
  
  d7c0fdc2b3b92df96b5bcd7a390aa7312df086a5
- SHA256
  
  a8e25a2520c09dd71e17afbde126f58514921c6d967a786bde096fafda08701a
- SHA512
  
  ee611d1b240a25a02d8ea9ecca3deb943da34dfcb03a38c2e5d8b40a2cea60d4d4446f968b4af6dc6c9f21bd951b3023e16939ebd1fe0a3fd0867f6a0d143e4a
- SSDEEP
  
  49152:qB1BRf3rOSzOzrFNj8e1KbWF8K7Vk3SZTH4OWOEkw/R8jDYWg16pb67Wy/Zz:aaRrFCI4v7p
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostexecutionrat