remcos | 9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8 | Triage

Sharing

General

Target

ee4e163f38aca1399baa166ca87561d0N.exe
Size

1.0MB
Sample

240824-kk6rcatelp
MD5

ee4e163f38aca1399baa166ca87561d0
SHA1

950960b4606eb30402e53415d30d6591fa92fde9
SHA256

9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8
SHA512

9e121dee4f9f1acc8ca9169ea4161a7654c849cc04b40baa93c24b20003f511c96ff369e9f3913305e3f230de935d8ff3ea522c12e14b71153c50d6113f425dd
SSDEEP

24576:0HH6h1OoaYANm0loL58KwewFARcqlE3r9HMQKN:k8t0loL58KwLgQ7lMQKN

Score

10^/10

remcos aug 19.2 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

Aug 19.2

C2

method8888.ddns.net:6902

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-U6KI2M
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ee4e163f38aca1399baa166ca87561d0N.exe
- Size
  
  1.0MB
- MD5
  
  ee4e163f38aca1399baa166ca87561d0
- SHA1
  
  950960b4606eb30402e53415d30d6591fa92fde9
- SHA256
  
  9e6875db397f7d76fcae09d39360a73237b11b1fbfcfa7275bb7fe7cf0d87df8
- SHA512
  
  9e121dee4f9f1acc8ca9169ea4161a7654c849cc04b40baa93c24b20003f511c96ff369e9f3913305e3f230de935d8ff3ea522c12e14b71153c50d6113f425dd
- SSDEEP
  
  24576:0HH6h1OoaYANm0loL58KwewFARcqlE3r9HMQKN:k8t0loL58KwLgQ7lMQKN
Score

10^/10

discovery execution remcos aug 19.2 rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

discoveryexecution

behavioral2

remcosaug 19.2discoveryexecutionrat