remcos | 9242111c8fd0aebfe266788d24fa5077f7c5d755b134923de31ee2cea6dae08b | Triage

Sharing

General

Target

30082024_1343_29082024_RFQ-278TR8-EGUY-PDF.rar
Size

552KB
Sample

240830-q1n45axbje
MD5

a18acbfcd292d9bbe68d695387c48b2c
SHA1

54a3d7c49e94123a0300ba7cb26ae67db468c262
SHA256

9242111c8fd0aebfe266788d24fa5077f7c5d755b134923de31ee2cea6dae08b
SHA512

1bd89ec415f2ab80abb24d04283e43343aa96c8b285de6280d2ff226f5991ef41eeb2d6ff2be83d25a01351dc7238ac59cacbb26245674e777cab7de451b96fb
SSDEEP

12288:fuvJ+xe3SNtrZnRfuePKiCrdhnEEJ/LkHd7RHvjyE8rp6nOj6MJ74jPWm:2os3iNRfuMK/BE60OLBqWm

Score

10^/10

remcos remotehost discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

45.95.169.175:2404

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-W6BTEW
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  RFQ-278TR8-EGUY-PDF.exe
- Size
  
  566KB
- MD5
  
  da86655a0232359a727a091ace033894
- SHA1
  
  c5ba96e3b7f3ca40364d93852c49810c9ced5d90
- SHA256
  
  ef5e922e7e1dc762301001557f0132d702b9f927efca9f70c91fd719ea1652a2
- SHA512
  
  a58e76d31ce56e8b007518923599c2cd8cd9ec419f5cb930e2fe429e1a28256490a599d32b04cee7ca921b1e48b8c326440eade966fde62ac882e32d0494a868
- SSDEEP
  
  12288:/TYbpC/5wByfpr4t6ssVfKF34YDc7L8lkflIQB5YT07KchD8ISNq3H:/TYdg5wByfp0UVW4YVl2I+5nKchDxSN4
Score

10^/10

remcos remotehost discovery execution persistence rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Adds Run key to start application
  persistence
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

remcosremotehostdiscoveryexecutionpersistencerat

behavioral2

discoveryexecution