remcos | 86a38c7be7f024035b513355c83265e1e210a2c82329839538a734ad75275d7b | Triage

Sharing

General

Target

86a38c7be7f024035b513355c83265e1e210a2c82329839538a734ad75275d7b.exe
Size

2.5MB
Sample

240827-vx5d6a1hkg
MD5

b04baf73f6244754828f8583d110dd88
SHA1

651c010d7d52be0dd2dad5f1408dbddf5a1e4e87
SHA256

86a38c7be7f024035b513355c83265e1e210a2c82329839538a734ad75275d7b
SHA512

63d2d8bccd200661846564f894eae8ed0bce14e7f92da5ad2a4fa0adbb637ac20c31e95e73803d665d950c0dde144fa06bf7c90419dac831c40b0cc93e568640
SSDEEP

24576:d9zZqnxodZVAZgodXA+8NOxmSNfQ7GglYK68zcJAzQf2jYlnucOYZaxR7Ryw:d6odStNWOolY4YJAEf2oz/cxRV

Score

10^/10

remcos remotehost discovery execution rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

www.lig-gu.com:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
fghjhh
mouse_option
false
mutex
Rmc-ZI0DZ3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  86a38c7be7f024035b513355c83265e1e210a2c82329839538a734ad75275d7b.exe
- Size
  
  2.5MB
- MD5
  
  b04baf73f6244754828f8583d110dd88
- SHA1
  
  651c010d7d52be0dd2dad5f1408dbddf5a1e4e87
- SHA256
  
  86a38c7be7f024035b513355c83265e1e210a2c82329839538a734ad75275d7b
- SHA512
  
  63d2d8bccd200661846564f894eae8ed0bce14e7f92da5ad2a4fa0adbb637ac20c31e95e73803d665d950c0dde144fa06bf7c90419dac831c40b0cc93e568640
- SSDEEP
  
  24576:d9zZqnxodZVAZgodXA+8NOxmSNfQ7GglYK68zcJAzQf2jYlnucOYZaxR7Ryw:d6odStNWOolY4YJAEf2oz/cxRV
Score

10^/10

remcos remotehost discovery execution rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Scripting

Persistence

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Scheduled Task/Job

Scheduled Task

Defense Evasion

Scripting

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionrat

behavioral2

remcosremotehostdiscoveryexecutionrat