remcos | 35871ab5695b67433270666313ff26d4a6af85044d4c29b252502e23084c7542 | Triage

Sharing

General

Target

36b559df6231a82530db6c525837fbf5.bin
Size

109KB
Sample

240826-bllccswfqg
MD5

38082aa74e27e5e956f0423d5979d3fe
SHA1

f071c2b45b7cfdf2cbacad5887ea2f0dd8b0e162
SHA256

35871ab5695b67433270666313ff26d4a6af85044d4c29b252502e23084c7542
SHA512

a0dc491d882369a5f6027f28ac8921948c7082141a107ab75f18c3b9a131611c1b645fb39369d0a7ce0d4fc17207359d31939f66977e05f9946708b54b1cfce3
SSDEEP

1536:GM0J0+usN5nng5E+RL26UNQCaX/P+t0z+eBVfoAS8eGxoyrNivWBAfyS:w0+7NxghRLYNQCm/Gt0vHoB3BWB0yS

Score

10^/10

remcos hst2 discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

HST2

C2

111.90.148.123:2404

111.90.148.123:80

111.90.148.123:8080

111.90.148.123:5651

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
swasf-IQB1JV
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  ad2d7654ab36d32f4c07992d995163624df810591a8a62a5bb6708a491734f98.exe
- Size
  
  160KB
- MD5
  
  ca811679ed43268456b3e323cae3ed70
- SHA1
  
  c0056591460dff8c5a163f6ce0ec7b22d469a4cb
- SHA256
  
  ad2d7654ab36d32f4c07992d995163624df810591a8a62a5bb6708a491734f98
- SHA512
  
  147ef3311cb53a1efab3d4d05465758d3bee8e040867edb731e385a5c07939ed94008225b790f258f5ee4649cf1d0856d0f32f266fc7cd4797ac7dd4738a789f
- SSDEEP
  
  3072:4ahKyd2n31ui5GWp1icKAArDZz4N9GhbkrNEk1uiUT:4ahOw0p0yN90QEZi4
Score

10^/10

remcos hst2 discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

remcoshst2discoveryexecutionpersistencerat