remcos | 1c94594347e097f2175e02dbeac9d319c6ef8f673188ff5dfcd81b303e07803f | Triage

Resubmissions

21/08/2024, 17:36

240821-v6vajsvfkr 10

21/08/2024, 17:31

240821-v3q4qa1fqg 10

Sharing

General

Target

AWB 9869692024 Clearance Doc.exe
Size

742KB
Sample

240821-v3q4qa1fqg
MD5

be4cc819efcca915a682af25beb238de
SHA1

c169eb0ab2c50be64e06351363ea44b19839cb42
SHA256

1c94594347e097f2175e02dbeac9d319c6ef8f673188ff5dfcd81b303e07803f
SHA512

fc20220681ede15bde57ea5ebaec092629931585f436ed3e5e3e8ede333ea14453fcc63d6598292bfad6b3efe302c3597ceefa1695662eec2457630d611b65a8
SSDEEP

12288:RS4njtlFI1cX06F4EQWq4tvsRn/zE6w2FxU1QgUVEnSFV:c4njtlTk67q4tvsRn/HFatnSv

Score

10^/10

remcos benchao discovery rat

Malware Config

Extracted

Family

remcos

Botnet

benchao

C2

tochisglobal.ddns.net:6426

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9R4HLX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  AWB 9869692024 Clearance Doc.exe
- Size
  
  742KB
- MD5
  
  be4cc819efcca915a682af25beb238de
- SHA1
  
  c169eb0ab2c50be64e06351363ea44b19839cb42
- SHA256
  
  1c94594347e097f2175e02dbeac9d319c6ef8f673188ff5dfcd81b303e07803f
- SHA512
  
  fc20220681ede15bde57ea5ebaec092629931585f436ed3e5e3e8ede333ea14453fcc63d6598292bfad6b3efe302c3597ceefa1695662eec2457630d611b65a8
- SSDEEP
  
  12288:RS4njtlFI1cX06F4EQWq4tvsRn/zE6w2FxU1QgUVEnSFV:c4njtlTk67q4tvsRn/HFatnSv
Score

10^/10

discovery remcos benchao rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  232f16c1cb21335fbce6f78ddaf2458c
- SHA1
  
  1c5981b852b3b640c98547074bda081c38859c3f
- SHA256
  
  507df75c959e1c9a89febb3f5d5963539895d9a602f4e6ca7898079919a83352
- SHA512
  
  cb8fb45ffe04e759816cb931223aafa42c15e58f1b35717f59a14c665aa94b48c393ff1a18ac480165ab090fed9226111ae2c3f4e9aead413a105c6f15515227
- SSDEEP
  
  48:a/atDVP10LgQL8QRU8IlmWm7WmnuWK8hSemoMqm18FG49qofMU:lVPFQIqlemWm7WmTaehmus
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  d6f54d2cefdf58836805796f55bfc846
- SHA1
  
  b980addc1a755b968dd5799179d3b4f1c2de9d2d
- SHA256
  
  f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9
- SHA512
  
  ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db
- SSDEEP
  
  192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosbenchaodiscoveryrat

behavioral3

behavioral4

behavioral5

behavioral6