remcos | 0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e | Triage

Sharing

General

Target

0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e.zip
Size

788KB
Sample

240831-bea8tawfqa
MD5

4dd783b22b05cec494d7443440b9380a
SHA1

796f2867bee960e1a60696fd9673622238cf6b41
SHA256

0973bf4ab963c2de6c69c3809ed228f0caf00409f4c09e78029640f2026dc19e
SHA512

5a08c5bd8d92284b93e849ce775a6bfd44a51f2374d182e036b64aa84d9e749e3c1f7a94555549745da34d433f7d136afb5d4bc41c4e8d9b0f5f66b6ba8267d9
SSDEEP

192:SzyEsYj3hX+Evuq+yZenc+3hXBE5IQyom3hX+UEgL9alyhFy63hXEIEyIzaGo:Kyyj4EW7y+r3ERyomEUEGkyhFuIExY

Score

10^/10

remcos feetfuck discovery rat

Malware Config

Extracted

Family

remcos

Botnet

feetfuck

C2

83.222.191.201:24251

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-XTJ1YO
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Targets

- Target
  
  brt_1_0147.doc.lnk
- Size
  
  47KB
- MD5
  
  8b3dc64090b0b26eda4f1195f493160d
- SHA1
  
  bd0b4c1d9e8b84465714287727ba5293f9a8eb61
- SHA256
  
  cb43e05491b09d4c7da14d3f42d11a2bb4fa81b0fb47717d44c75426832cdf30
- SHA512
  
  ddbe1ad300d613531b6ffcb9a8ff607b1e6e7cf676ce738c31d138e6154ff0ee3c1b8d4d8b67c8fec5da444c845b62475736c228eb89d3b013a3ddcb15365deb
- SSDEEP
  
  48:88muavUQSbXTo87Cj3YMEDo/FoZaxCogDDo/LX7LdCZZGXu/dZZIa7x:88y8Nkgm3hX+UxCgLX7BuqQ
Score

10^/10

remcos feetfuck discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  oshad_88.docx.lnk
- Size
  
  15KB
- MD5
  
  b8fb0340c7a12ae9d4a3847ac14308cb
- SHA1
  
  4675f3d8a12942068e609fd2f12f2f020fe5762e
- SHA256
  
  a2bfa5db078137d391b392758fca56b34c8d3c9b0a7e23b1ba9fa9a2edf91000
- SHA512
  
  d9504ca3211e14412ba697d43983e21d100143c5a68be1799e74a704ac76ee6dc999aef09bcd10fb87b9b975bd8184815b6fc2e90ebd96e4f737244a6546d6b0
- SSDEEP
  
  48:88muavUQSEfFy63YMEDo/atNixCyQvGDDo/DBdCZZGXu/dZZIa7x:88y8GFy63hXEIxCyQ/zuqQ
Score

10^/10

remcos feetfuck discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral3 behavioral4
- Target
  
  rv_luti_2024_roku.xlsx.lnk
- Size
  
  32KB
- MD5
  
  0ea3d54cecf6ea4d5e6739ffe9ce4be4
- SHA1
  
  513dca9cb690972319181c4f31ac98dcd80ea895
- SHA256
  
  ddd94d9d25f4ee02343b209e6d345457ef0b3efebccfd9a16b721e1c59a6cb03
- SHA512
  
  33826667e53d5cdb60ccfeb84a309059e20ce5da79d7dde853578fcea99b44d2a92debe4d6da65f463223b48d1b9f510bb0c9c3b26e7fb0b2a5199eb6ead45d2
- SSDEEP
  
  48:88muavUQSSesYOhI3YMEDo/i1xCoXEEDDo/L8A7NZdCZFXuGdZTa7x:88y8EesYeI3hX+xCRZR4uKQ
Score

10^/10

remcos feetfuck discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral5 behavioral6
- Target
  
  telegrama_ksv_po_btgr.jpg.lnk
- Size
  
  691KB
- MD5
  
  27fea6f5fbaffbbf1479cd9dfa9604fa
- SHA1
  
  ffe89c8b62b0faf639b056972db1a1974c53efa0
- SHA256
  
  df7d2e54b67a7788dd7c326a6c2a1c5b935b94288622fb7bbeff3ba336205cd7
- SHA512
  
  e901089462cd9d54f6de3d98ddaf10d94a3b1dc8ad5fb48f7facf0e3b8afcd97aa0caf3616f6548dcc3bb7e1eb8d6bc476bb8387c7cb0f689d0bab023c5deba5
- SSDEEP
  
  48:8xmuavUQSsejrK5053YMEDo//pxCMGopDDo/39OKXJa7x:8xy86enc+3hX/pxC530KXJQ
Score

10^/10

remcos feetfuck discovery rat
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

remcosfeetfuckdiscoveryrat

behavioral3

behavioral4

remcosfeetfuckdiscoveryrat

behavioral5

behavioral6

remcosfeetfuckdiscoveryrat

behavioral7

behavioral8

remcosfeetfuckdiscoveryrat