remcos | ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c | Triage

Sharing

General

Target

a.exe
Size

453KB
Sample

240829-t1m4lsshkr
MD5

02d693c186871b0aba2101233ee64173
SHA1

f5786f6346286e9e61f2c4cde7cf0dd877d103da
SHA256

ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c
SHA512

aa2948a490ed50dbfc8568ee9c521ab52e136894cb5f012d0879640cda5af5de1c41579dbe463bfe15580c51b892155e39bf0bfa883f5fd79d37285b2abeb768
SSDEEP

12288:Emnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSbn9:8iLJbpI7I2WhQqZ7b9

Score

10^/10

remcos new discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

New

C2

173.212.217.108:1050

zab4ever.no-ip.org:1050

1zab4ever.no-ip.org:1050

1zab4ever.duckdns.org:1050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BrowseUpdt.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
nobita.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
khruioprs-T021C4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
BrowseUpdt
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Targets

- Target
  
  a.exe
- Size
  
  453KB
- MD5
  
  02d693c186871b0aba2101233ee64173
- SHA1
  
  f5786f6346286e9e61f2c4cde7cf0dd877d103da
- SHA256
  
  ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c
- SHA512
  
  aa2948a490ed50dbfc8568ee9c521ab52e136894cb5f012d0879640cda5af5de1c41579dbe463bfe15580c51b892155e39bf0bfa883f5fd79d37285b2abeb768
- SSDEEP
  
  12288:Emnk7iLJbpIpiRL6I2WhSKQ9ZsfZQSbn9:8iLJbpI7I2WhQqZ7b9
Score

10^/10

remcos new discovery persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosnewdiscoverypersistencerat

behavioral2

remcosnewdiscoverypersistencerat