remcos | 0e09af12603369c6a3542303dc72e6f32d2aa226270aad1c46a59ca10a015ff7 | Triage

Sharing

General

Target

Order8938.r00
Size

928KB
Sample

240827-t5tf7azhpg
MD5

d54a535eda4234435992bdc018423483
SHA1

58eacf16cc46e190a5e07a2239f9b6a34372b1d2
SHA256

0e09af12603369c6a3542303dc72e6f32d2aa226270aad1c46a59ca10a015ff7
SHA512

d098f4e1aaed4c9f515e5ae67e8062a7a9299aba7f1175cd8c2acf6fa922fd7067389576764a91620cb7fbc0fed18032543a1372caa7f071ea0b63369e780013
SSDEEP

24576:SvH/B4kZuqAnTjgPyfzDaEc0kt7Z19G+i+1iQ+PHNX:SP5dcT0KLDq0e0u1mPtX

Score

10^/10

remcos aug - 21 discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

AUG - 21

C2

sungito2.ddns.net:5055

154.216.19.222:7088

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-9KM8RM
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Order8938.exe
- Size
  
  1.1MB
- MD5
  
  d3fff3f1d4f8d5b93f8ee6ef9de88b81
- SHA1
  
  cebcaf2839acba54a8d37fa6b85ccdd82d6b85b1
- SHA256
  
  f1e379ba6ef730a30192c591a00410fc174136c7eb71fed2596586b14f29551c
- SHA512
  
  00b9d1aa659929827f6e27e1d02d1409edb1f337bbb8a6972163d5be9df42d5e1b45d1e6b9912e836ad77ca0a8269970e317e6c6abb756eec1d693f43cd79aa6
- SSDEEP
  
  24576:fv5f66t1rUT6fdMjWo+Dq2MyXKr5B5l3no53lQ9ZynYQHtd19X:H5xy4Gjr+Dqz5do5C9Zy3d11
Score

10^/10

remcos aug - 21 discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosaug - 21discoveryexecutionrat