remcos | b1107655d24c87a906e69418caf5987db2dc899fe468e4ead32fef9b86ce5e2f | Triage

Sharing

General

Target

b1107655d24c87a906e69418caf5987db2dc899fe468e4ead32fef9b86ce5e2f
Size

584KB
Sample

240825-ejyfpawbnp
MD5

a0073e2e52960bbae7bd9169ecfc4e2c
SHA1

11e3345c9b4a6adadbb9a5d99ba8a011e03f7eca
SHA256

b1107655d24c87a906e69418caf5987db2dc899fe468e4ead32fef9b86ce5e2f
SHA512

e48d1e3fdfc9feaaf741dc97df5e971dff88d2f914c4c7b6ff75dc7de27aeef4ab8bc52c208f2ddaf1616368642806b26790aba69460ab346a19f8e009bb2e91
SSDEEP

6144:yXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZoAX0cNS5Gv:yX7tPMK8ctGe4Dzl4h2QnuPs/ZoPcv

Score

10^/10

remcos remotehost-1 discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost-1

C2

kizitodavina.duckdns.org:8645

kizitodavina.kozow.com:8645

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
word.exe
copy_folder
word
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
true
install_path
%Temp%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
recos
mouse_option
false
mutex
Rmc-E4IZ1A
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  b1107655d24c87a906e69418caf5987db2dc899fe468e4ead32fef9b86ce5e2f
- Size
  
  584KB
- MD5
  
  a0073e2e52960bbae7bd9169ecfc4e2c
- SHA1
  
  11e3345c9b4a6adadbb9a5d99ba8a011e03f7eca
- SHA256
  
  b1107655d24c87a906e69418caf5987db2dc899fe468e4ead32fef9b86ce5e2f
- SHA512
  
  e48d1e3fdfc9feaaf741dc97df5e971dff88d2f914c4c7b6ff75dc7de27aeef4ab8bc52c208f2ddaf1616368642806b26790aba69460ab346a19f8e009bb2e91
- SSDEEP
  
  6144:yXIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZoAX0cNS5Gv:yX7tPMK8ctGe4Dzl4h2QnuPs/ZoPcv
Score

10^/10

remcos remotehost-1 discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

remotehost-1remcos

behavioral1

remcosremotehost-1discoverypersistencerat

behavioral2

discoverypersistence