remcos | dfc8e10de69f490f19664c753862ed95466195dfc45dae4f8b43a11565b2cc8e | Triage

Sharing

General

Target

Document SWIFT Payment Copy Ref#8374837293.exe
Size

1.3MB
Sample

240829-ge6bvaybmp
MD5

e3504f07ea46e8c5ce1321b44e752556
SHA1

e5c612e6de7696296a13a5c59ee1712084559919
SHA256

dfc8e10de69f490f19664c753862ed95466195dfc45dae4f8b43a11565b2cc8e
SHA512

5aeb6baa9d02cdcfed6a02301bce02460b4b68c06ef3e9038bb4b1ba01ce3ad4884a5271653352527c625801519cfcfffdd9c1d03e005dbe3c21d3b460c4db5d
SSDEEP

24576:qAHnh+eWsN3skA4RV1Hom2KXMmHaYMCcRJjERtK/cfrWIlcf6NyEi5:9h+ZkldoPK8YaYrc/jYK/cf6YcCM

Score

10^/10

remcos dorobumajor discovery evasion rat trojan

Malware Config

Extracted

Family

remcos

Botnet

dorobumajor

C2

84.38.132.40:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
testhostex.exe
copy_folder
dorbion
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WBALP5
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  Document SWIFT Payment Copy Ref#8374837293.exe
- Size
  
  1.3MB
- MD5
  
  e3504f07ea46e8c5ce1321b44e752556
- SHA1
  
  e5c612e6de7696296a13a5c59ee1712084559919
- SHA256
  
  dfc8e10de69f490f19664c753862ed95466195dfc45dae4f8b43a11565b2cc8e
- SHA512
  
  5aeb6baa9d02cdcfed6a02301bce02460b4b68c06ef3e9038bb4b1ba01ce3ad4884a5271653352527c625801519cfcfffdd9c1d03e005dbe3c21d3b460c4db5d
- SSDEEP
  
  24576:qAHnh+eWsN3skA4RV1Hom2KXMmHaYMCcRJjERtK/cfrWIlcf6NyEi5:9h+ZkldoPK8YaYrc/jYK/cf6YcCM
Score

10^/10

remcos dorobumajor discovery evasion rat trojan
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- UAC bypass
  evasion trojan
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

Bypass User Account Control

Defense Evasion

Abuse Elevation Control Mechanism

Bypass User Account Control

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosdorobumajordiscoveryevasionrattrojan

behavioral2

remcosdorobumajordiscoveryevasionrattrojan