remcos | 93f9f648e526fb97ed04a0b219aee1fe5fbc3e8d319ce2dc2cb1b35081eb78e2 | Triage

Sharing

General

Target

93f9f648e526fb97ed04a0b219aee1fe5fbc3e8d319ce2dc2cb1b35081eb78e2.exe
Size

638KB
Sample

240826-nkceaa1cmb
MD5

d0191f84ed4812596a8378931df27a9c
SHA1

5205f9232782c286e867aa71a4c95b6c1646c6bf
SHA256

93f9f648e526fb97ed04a0b219aee1fe5fbc3e8d319ce2dc2cb1b35081eb78e2
SHA512

ebca5faf61df443e5e098a929a3f44c4aea80981d63989dc6935525c3e44374ea2a03806fcee13cc83eefa98a84c9cdd0fedf58dae21536d6a8616e90c1e93d9
SSDEEP

12288:mfHx3h+uSt5x5iKGhHARjTNnlfP8rkNPlbYqtgCE++L:IHx3zStduZARjhRykNPlUoZ+

Score

10^/10

remcos benchao discovery rat

Malware Config

Extracted

Family

remcos

Botnet

benchao

C2

tochisglobal.ddns.net:6426

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9R4HLX
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  93f9f648e526fb97ed04a0b219aee1fe5fbc3e8d319ce2dc2cb1b35081eb78e2.exe
- Size
  
  638KB
- MD5
  
  d0191f84ed4812596a8378931df27a9c
- SHA1
  
  5205f9232782c286e867aa71a4c95b6c1646c6bf
- SHA256
  
  93f9f648e526fb97ed04a0b219aee1fe5fbc3e8d319ce2dc2cb1b35081eb78e2
- SHA512
  
  ebca5faf61df443e5e098a929a3f44c4aea80981d63989dc6935525c3e44374ea2a03806fcee13cc83eefa98a84c9cdd0fedf58dae21536d6a8616e90c1e93d9
- SSDEEP
  
  12288:mfHx3h+uSt5x5iKGhHARjTNnlfP8rkNPlbYqtgCE++L:IHx3zStduZARjhRykNPlUoZ+
Score

10^/10

discovery remcos benchao rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  $PLUGINSDIR/LangDLL.dll
- Size
  
  5KB
- MD5
  
  232f16c1cb21335fbce6f78ddaf2458c
- SHA1
  
  1c5981b852b3b640c98547074bda081c38859c3f
- SHA256
  
  507df75c959e1c9a89febb3f5d5963539895d9a602f4e6ca7898079919a83352
- SHA512
  
  cb8fb45ffe04e759816cb931223aafa42c15e58f1b35717f59a14c665aa94b48c393ff1a18ac480165ab090fed9226111ae2c3f4e9aead413a105c6f15515227
- SSDEEP
  
  48:a/atDVP10LgQL8QRU8IlmWm7WmnuWK8hSemoMqm18FG49qofMU:lVPFQIqlemWm7WmTaehmus
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  $PLUGINSDIR/System.dll
- Size
  
  12KB
- MD5
  
  d6f54d2cefdf58836805796f55bfc846
- SHA1
  
  b980addc1a755b968dd5799179d3b4f1c2de9d2d
- SHA256
  
  f917aef484d1fbb4d723b2e2d3045cb6f5f664e61fbb3d5c577bd1c215de55d9
- SHA512
  
  ce67da936a93d46ef7e81abc8276787c82fd844c03630ba18afc3528c7e420c3228bfe82aeda083bb719f2d1314afae913362abd1e220cb364606519690d45db
- SSDEEP
  
  192:acA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:RR7SrtTv53tdtTgwF4SQbGPX36wJMw
Score

3^/10

discovery
behavioral5 behavioral6

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosbenchaodiscoveryrat

behavioral3

behavioral4

behavioral5

behavioral6