remcos | b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8 | Triage

Sharing

General

Target

b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8.exe
Size

1.5MB
Sample

240823-c1s67a1cmf
MD5

16e2d29365a7362d9c0d83fe0664cceb
SHA1

44e354aa9368155ebc2141b6e1ccb0b4b010c717
SHA256

b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8
SHA512

d6ed135c0c0eea9ae5c6ac2bd881e8431c77c0541782a06eb22c528e3756f7ece5f582f136ecbe20798652edb63f2474e8e8d67ef3836c5485a76a34a770456c
SSDEEP

24576:UzZj1vnMyW6veAP/IjOyRokfEOHnQkgDG723byW2HCss3S0avVBbrYrfEXKfs:UlyyWuA6sj3QkgiW12i40y6MXK

Score

10^/10

remcos one discovery rat

Malware Config

Extracted

Family

remcos

Botnet

one

C2

101.99.75.178:2404

101.99.75.178:8080

101.99.75.178:80

101.99.75.178:4899

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
xkosl-VDHNPT
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8.exe
- Size
  
  1.5MB
- MD5
  
  16e2d29365a7362d9c0d83fe0664cceb
- SHA1
  
  44e354aa9368155ebc2141b6e1ccb0b4b010c717
- SHA256
  
  b4ca0b94b1a4e5b2ed28ad66c2df781b5add3c46cf5232b64b3a5253bcc341e8
- SHA512
  
  d6ed135c0c0eea9ae5c6ac2bd881e8431c77c0541782a06eb22c528e3756f7ece5f582f136ecbe20798652edb63f2474e8e8d67ef3836c5485a76a34a770456c
- SSDEEP
  
  24576:UzZj1vnMyW6veAP/IjOyRokfEOHnQkgDG723byW2HCss3S0avVBbrYrfEXKfs:UlyyWuA6sj3QkgiW12i40y6MXK
Score

10^/10

remcos one discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosonediscoveryrat

behavioral2

remcosonediscoveryrat