remcos | bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96 | Triage

Submit
Reports

Overview

overview

Static

static

1

Inv 30532.xls

windows7-x64

Inv 30532.xls

windows10-2004-x64

Sharing

General

Target

Inv 30532.xls
Size

547KB
Sample

240827-sk614sydnk
MD5

560b9bdb75835822ed9f84d46521fd38
SHA1

e68f1783002016aabecfd74ef333b90be19262ac
SHA256

bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96
SHA512

55f533cc57c8379de0c5227ccef9e237ad512844dfde30d112b6b86932f9024cae30de0dcd57a12abf8819174e6319ccc2fb4493df773360021e3afd9c49dd83
SSDEEP

12288:WI1GWVjZScJbyWKEVuqg2/6VnDIh7xOP1fJYWe/egIY4Fg3lh:WCrjZsWKElYnvtfw/ed

Score

10^/10

remcos remotehost defense_evasion discovery evasion execution persistence rat themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

Inv 30532.xls

Resource

win7-20240704-en

remcos remotehost defense_evasion discovery evasion execution persistence rat themida trojan

windows7-x64

22 signatures

150 seconds

Behavioral task

behavioral2

Sample

Inv 30532.xls

Resource

win10v2004-20240802-en

windows10-2004-x64

9 signatures

150 seconds

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

192.3.101.172:9674

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
Log
keylog_path
%Temp%
mouse_option
false
mutex
Rmc-54ZTI0
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Inv 30532.xls
- Size
  
  547KB
- MD5
  
  560b9bdb75835822ed9f84d46521fd38
- SHA1
  
  e68f1783002016aabecfd74ef333b90be19262ac
- SHA256
  
  bbfa2653ffb918121ecb6457991267689d3802e2afcbba498f0e3ef0e6740a96
- SHA512
  
  55f533cc57c8379de0c5227ccef9e237ad512844dfde30d112b6b86932f9024cae30de0dcd57a12abf8819174e6319ccc2fb4493df773360021e3afd9c49dd83
- SSDEEP
  
  12288:WI1GWVjZScJbyWKEVuqg2/6VnDIh7xOP1fJYWe/egIY4Fg3lh:WCrjZsWKElYnvtfw/ed
Score

10^/10

remcos remotehost defense_evasion discovery evasion execution persistence rat themida trojan
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Downloads MZ/PE file
- Evasion via Device Credential Deployment
  defense_evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Checks whether UAC is enabled
  evasion trojan
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Virtualization/Sandbox Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdefense_evasiondiscoveryevasionexecutionpersistenceratthemidatrojan

behavioral2

© 2018-2025

Terms | Privacy