remcos | 3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66 | Triage

Sharing

General

Target

3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66.lnk
Size

122KB
Sample

240822-ngq39sthjg
MD5

ffde299028d48cb2258d274f44d56766
SHA1

678fe2a8a01339138194a70763d69d18d2772beb
SHA256

3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66
SHA512

4273ec62e22493ca163095d7d97c3ad6464d4d3a30eafd906ad2e0a7a3bf10524424ebab394d9c2750a8a6407be6d6830ff250179455c0864db145bcee8899ef
SSDEEP

48:8SJXs8A2A8lBUpIuuwITyJjiYG+OV1sUAZCQkBK:8SJXb9A8bUxjFGpV1sRZJ

Score

10^/10

remcos eyhfduytc discovery execution persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://2.58.56.124/API481f.zip

Extracted

Family

remcos

Botnet

eyhfduytc

C2

195.26.87.40:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
khguytiof-KRP6QJ
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66.lnk
- Size
  
  122KB
- MD5
  
  ffde299028d48cb2258d274f44d56766
- SHA1
  
  678fe2a8a01339138194a70763d69d18d2772beb
- SHA256
  
  3a37c34e5b677b4388176fdcb41ce5c8971f6dc82116adc99309ca744c58ba66
- SHA512
  
  4273ec62e22493ca163095d7d97c3ad6464d4d3a30eafd906ad2e0a7a3bf10524424ebab394d9c2750a8a6407be6d6830ff250179455c0864db145bcee8899ef
- SSDEEP
  
  48:8SJXs8A2A8lBUpIuuwITyJjiYG+OV1sUAZCQkBK:8SJXb9A8bUxjFGpV1sRZJ
Score

10^/10

execution remcos eyhfduytc discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: AutoIT
  Using AutoIT for possible automate script.
  execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

AutoHotKey & AutoIT

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcoseyhfduytcdiscoveryexecutionpersistencerat